Doubt about DNS block traffic

raffaeledp · ‎07-23-2024

Hello everybody,

I'm working on a Fortigate 60E with FortiOS 7.2.8.

I've a doubt about how the UTM works:

Let's focus on DNS Queries.

As you can see, in the last 24 hours, there is no security issue, but only some "Redirect" (that I think are not a problem, correct me if I'm wrong).

Let's for example check one of these records:

date=2024-07-23 time=08:58:28 id=7394722112100892677 itime="2024-07-23 08:58:29" euid=1027 epid=1031 dsteuid=3 dstepid=101 logver=702081639 type="utm" subtype="dns" level="warning" action="redirect" sessionid=6043965 policyid=6 srcip=10.1.10.11 dstip=192.168.1.1 srcport=63422 dstport=53 proto=17 cat=61 logid=1501054803 unauthuser="xyz" fctuid="1A9AD3B2A9C5591F86609B1EC67358B3" eventtime=1721717908456556239 xid=33024 qtypeval=28 srcintfrole="lan" dstintfrole="wan" ipaddr=xyz srcintf="NTD FNet WiFi" dstintf="wan1" profile="dns_exempt" srcmac="5c:e9:1e:a9:95:b2" qname="js.srvtrck.com" qtype="AAAA" qclass="IN" catdesc="Phishing" unauthusersource="forticlient" eventtype="dns-response" msg="Domain belongs to a denied category in policy" tz="+0200" policytype="policy" srccountry="Reserved" dstcountry="Reserved" poluuid="67bbad66-d1b1-51ee-0ba8-5ba3e058aba7" devid="FGT60FTK23099PH2" vd="root" dtime="2024-07-23 08:58:28" itime_t=1721717909 devname="ntd-fg"

If I check the from the Forward Traffic view I can see a lot of DNS traffic blocked:

date=2024-07-23 time=08:59:48 id=7394722451403309065 itime="2024-07-23 08:59:48" euid=1027 epid=1031 dsteuid=3 dstepid=101 logflag=67 logver=702081639 type="traffic" subtype="forward" level="notice" action="accept" utmaction="block" policyid=6 sessionid=6041728 srcip=10.1.10.11 dstip=192.168.1.1 transip=192.168.1.4 srcport=59379 dstport=53 transport=59379 trandisp="snat" duration=180 proto=17 sentbyte=60 rcvdbyte=90 sentpkt=1 rcvdpkt=1 logid=0000000013 unauthuser="a.marzo" srcname="xyz" service="DNS" app="DNS" appcat="Network.Service" fctuid="1A9AD3B2A9C5591F86609B1EC67358B3" srcintfrole="lan" dstintfrole="wan" srcserver=0 appid=16195 apprisk="elevated" policytype="policy" channel=136 eventtime=1721717988236231019 countdns=1 poluuid="67bbad66-d1b1-51ee-0ba8-5ba3e058aba7" srcmac="5c:e9:1e:a9:95:b2" mastersrcmac="5c:e9:1e:a9:95:b2" srccountry="Reserved" dstcountry="Reserved" srcssid="xyz" srcintf="NTD FNet WiFi" dstintf="wan1" unauthusersource="forticlient" applist="default" radioband="802.11ax-5G" policyname="WiFi to WAN" ap="FP231FTF23069003" apsn="FP231FTF23069003" hostname="js.srvtrck.com" catdesc="Phishing" tz="+0200" signal=-60 snr=35 srcremote=79.10.64.49 devid="FGT60FTK23099PH2" vd="root" utmref="BAQACAAEAAABvCgCAADBUn2YwVJ9m" dtime="2024-07-23 08:59:48" itime_t=1721717988 devname="ntd-fg"

So, my question is:

If there are no issues into the DNS Queries security events, why there is a lot of blocked DNS traffic inside the Forward Traffic section. Should I worry about this blocked traffic? Why is this happening?

RDP

saleha · ‎07-23-2024

Hi Raffaeldp,

Thank you for your input. the "redirect" action is a block action as far as I know. When forward traffic action is "Deny UTM blocked" therefore it makes sense that the url is being blocked by UTM in forward traffic logs:
https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/572589/configuring-a-dns-fil...

Thank you,

saleha

Doubt about DNS block traffic

Nominate a Forum Post for Knowledge Article Creation