Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

DNS deny

Hi, I after upgrade of FGT60D to 5.2.2. policy is behaving very strange, at least one...

For example I have policy ACCEPT from internal (LAN) to WAN for service ALL .. in short to internet. Now after upgrade http/https is not working, but for example Skype is working normally. So I figured it out that there is something wrong with DNS. So I made new policy just for DNS and now http/https is working.


So my question is why is this necessary after upgrade!? Is it not enough to use SERVICE "ALL"!?



Esteemed Contributor III

Is that a user authenticated policy? DNS used to be allowed implicitly on IBP but is not in v5.2.


"Kernel panic: Aiee, killing interrupt handler!"
New Contributor

No it is not user authenticated policy just from one to another interface ... if I use for service "ALL_TCP" and "ALL_UDP" under "GENERAL" everything is working, just not "ALL" ....


It have a bug.


Please check it with CLI:show  full firewall  service  custom  ALL

New Contributor

I confirm a similar issue with the same build of FortiOS on a FortiWifi 60C.


In our case, on this specific FortiWifi, we also have a policy that allows all outbound traffic from an internal network to the Internet on all ports/protocols (using the ALL service). Until the update to the 5.2 branch, there was no issues with this rule. After the update to the latest release, users began reporting issues with their Internet access. In the logs, we have seen there were many entries about denied DNS requests and labeled with a threat level of "high", which is rather strange.


After 2 hours of trial and error and some "googling", we have added a new policy that explicitly accepts outbound DNS requests. And then the Internet connectivity was back. We have later refined the rule to only add those services really needed.


Cindy B.







i have the same issue with "Deny: DNS error Fortigate" error.

But even when i added the policy for outbound requests DNS, i have the same error on forward traffic.

so if there are same news about any solutions on this issue please let me know.


I have : FORTIGATE 60D with 5.4 build





Hi Houssem.Alios!

Did you try to enable "Allow and log DNS traffic" under the Application Control Security Profile?





Valued Contributor III

As I recall, there was something with the 'all' user object during the upgrade. Something had to be changed from IP=0 to IP=6 (or something similar). Looking for the post now.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:


It's mentioned in KB FD36247, though vaguely recall the discussion Bob is referring to, though can't seem to find that post either.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Esteemed Contributor III

@Bob: the 'ALL' service was changed from 'protocol 0' to 'protocol 6' during an upgrade to 5.0.x by an internal script. So, udp, icmp and other protocols were blocked afterwards, tcp not.

And a DNS request is...udp/53. So if you block udp, DNS resolution will fail.


"Kernel panic: Aiee, killing interrupt handler!"