Hi,
In a VDOM used to proxy clients request (acts as a proxy server on 8080), although DNS filter is enabled in feature visibility, but is not displayed (everything is there, WAF, IPS, Web, ...) but DNS filter is not present
In the other VDOMs, such as a VDOM linked to the one mentioned above which has direct Internet access, DNS filter is present but as I said in Proxy polices in our Proxy VDOM serving clients request it is not present.
Thanks in advance for your help
Regards
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 07-14-2022 07:03 AM Edited on 07-14-2022 07:08 AM
It is not that FortiOS explicit proxy doesn't support it, it is that proxy clients do not pass their DNS requests through the proxy. They don't resolve the FQDNs of websites requested through the proxy at all.
When a proxy client wants to connect to www.example.com through the proxy, it does not do any DNS lookup, it directly sends a request to the proxy:
GET http://www.example.com
or
CONNECT https://www.example.com
DNS lookup is then handled by the proxy itself. (so the proxy itself can connect to the desired server to facilitate the connection)
Feel free to install Wireshark on some test client of yours to verify this client behaviour yourself. Focus on DNS traffic (UDP/53) and proxy traffic (by default TCP/8080 in FortiOS, but maybe you changed it).
As such, try using webfilter profile in the proxy policy, making sure you're blocking the Malicious Websites category. I'm not sure if this is 100% the case, but I have checked a handful of FQDNs from the botnet list, and they were all categorized as "Malicious Websites" by the FortiGuard webfilter rating.
Hi
DNS filter is not supported with Explicit Proxy. We can see the supported features in the following documentation.
Thanks
Richard
Hi,
I cannot figure out why this is not supported. The device is working as a proxy and does the query DNS task do it can do the filtering. Am I wrong here?
With explicit proxy, the FortiGate would be doing the DNS lookup and not the client. So a policy to scan DNS requests traversing the firewall wouldnt make sense.
Sorry for making it long but I still don't get it why it's not possible anyway. Let's assume the client is requesting xyz.net which is a C&C and there is a DNS filter on the policy. When the fortigate is serving the request, finds the DNS filter rule enabled and check the IP is in botnet database so it answers with the portal or any configured address. I know it sounds strange and not straight forward but seams feasible to implement.
Created on 07-11-2022 10:24 AM Edited on 07-11-2022 10:26 AM
Firstly, i cannot comment precisely on why something is a feature or not.
I believe the scenario you refer to would be possible with a workaround. 1 example would be to use a second VDOM for the DNS filtering.
I did this but not sure if you meant exactly the way I went
I created a second vdom, made a vdom link and forced the proxy requests go to the second one which is connected and NAT'ed directly
Then I defined a policy for the second one including DNS filter
not so customizable and selective but anyway it works for all the requests.
what do you think about the solution?
Created on 07-12-2022 12:02 AM Edited on 07-12-2022 12:03 AM
Yes, this is solution i was referring to.
As always, it should be thoroughly tested to ensure it meets your needs.
Thanks and BTW,
what if we use the device itself as the DNS server? Does fortigate (or is it possible to config it) apply DNS filtering rules when fetching results from its upstream servers?
Created on 07-12-2022 03:22 AM Edited on 07-12-2022 06:03 AM
Basically, the request has to pass through a firewall policy. If it passes through another VDOM, it will have to pass through another policy and DNS filter can be applied. If it goes out directly to the internet from the VDOM it will not have to match a policy and therefore you cannot apply the DNS profile.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.