FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 192151

This article describes how to confige static DNS filter user which allows/blocks specific domains.

There are three types of URL that can be defined.

1) Simple: a simple URL-Filter entry could be a regular URL.
For example:
- URL:
- URL:

2) Wildcard: a wildcard can be used to include one or more URLs to a simple URL
For example:
- URL: * (everything before "" will match this rule, like
- URL:* (everything after "" will match this rule, like

3) Regular Expressions (regex): regex is used to include one or more URLs related -or not related- to a pattern using some Perl syntax
For example:
- '*' symbol means: match 0 or more times of the character before the symbol, but no match with any character.

For example:'fortinet*.com' will match '' but not ''.
'/i' symbols means: makes the pattern case sensitive.

For example:'/FORTINET/i' will not match with 'fortinet'.
'^' symbols means: at the beginning of the string.

For example:'^fo' will match ''

'.' symbol means: match the same or different character than the one before the symbol, but is followed by the rest of the sentence.

For example:'' will match 'fortinetacom', 'fortinetbcom', 'fortinetzcom'.

Configuring a domain filter.

From GUI.

1) Go to Security Profiles -> DNS filter.
2) Select a profile to edit.
3) Under Static Domain filter, select checkbox 'Domain Filter', and select 'Create New'
4) Enter the URL, without the 'http', for example: www.example*.com.
5) Select a Type: simple , regular Expression, or wildcard. In this example and select 'Wildcard'.
6) Select the action to take against matching URLs: redirect to block portal, allow or monitor.
7) Select 'Enable'.
8) Select 'OK'.


From CLI.

# config dnsfilter domain-filter
    edit <ID>
        set name <name>
        # config entries
            edit <ID>
                set domain <domain>
                set type <simple/regex/wildcard>
                set action <block/allow/monitor>
                set status <enable/disable>


If the action is set to 'Redirect to Block Portal' for any domain then performing the 'nslookup' for that domain will give the IP if redirect portal IP is set to FortiGuard default in the DNS profile settings.