|
Logging for local-out DNS traffic can only be enabled by the CLI. However, the logs can be displayed via the GUI and CLI.
To enable the logging for local-out DNS queries,
config system dns
set log {disable | error | all}
end
- disable: Disable.
- error: Enable local DNS error log.
- all: Enable local DNS log.
By default, logging for local-out DNS traffic is disabled. Once the log settings under 'config system dns' are set to error or all, logs are visible:
Via GUI:
- Navigate to Logs and Reports -> Security Events.
- Select the Logs Tab from the top, and from the drop-down menu, select DNS Query.
Via CLI:
Run the following commands:
exe log filter category 15
exe log display
Example:
Create a new address object:
config firewall address
edit "dns_log_test"
set type fqdn
set fqdn "fortinet.ca"
next
end
Display the local-out DNS log via CLI:
FGT_test# exe log filter category 15
FGT_test# exe log display
date=2025-10-22 time=11:26:25 eventtime=1756405585231183935 tz="-0700" logid="1501054805" type="utm" subtype="dns" eventtype="dns-response" level="information" vd="root" policyid=0 sessionid=0 srcport=0 srcintf="unknown-0" srcintfrole="undefined" dstip=96.45.45.45 dstport=53 dstcountry="United States" dstintf="unknown-0" dstintfrole="undefined" proto=17 xid=44 qname="fortinet.ca" qtype="A" qtypeval=1 qclass="IN" ipaddr="3.33.139.32" action="pass"
|
