Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortigateUser1
New Contributor II

Easiest way to allow website through web filter and DNS filter simultaneously?

We have recently switched to Fortigate. I'm trying to figure out what the best process is to unblock a website when it is blocked by both the web filter and DNS filter categories. The Fortigate is running FortiOS v7.0.12.

 

First idea was to use a custom web filter category to allow websites through the web filtering, but the DNS filtering still blocks the websites if they match both filters. The only option I can find would be to also enter in the website in the DNS filter static entries. This feels a bit cumbersome to have to maintain two identical lists.

 

My next thought was to create a firewall policy using an address group with allowed websites. I turned off the web filter and DNS filter security profiles on the policy. I also made sure the policy was at the top of the list. Despite this the traffic is still getting caught by both the web filter and DNS filter. I'm not sure why or if this is some kind of bug? I can see that the policy is matching the traffic in the logs. It's like the traffic is going through the first rule, but still being filtered by another rule that it would match further down the list.

3 REPLIES 3
FortigateUser1
New Contributor II

It appears that the policy method is failing due to the Fortigate only resolving wildcard FQDN address objects when they are used. Thus, the policy that is meant to allow the traffic is skipped because the address isn't resolved yet and goes on to the next policy which blocks it. This means wildcard addresses can't be used to unblock websites from DNS filtering.

pavankr5
Staff
Staff

Hello 

 

Regarding your observation that wildcard FQDN address objects aren't resolved until they're actually used in a policy, you're correct.

The FortiGate resolves the wildcard FQDN addresses when they are referenced in a policy, which might be causing the issue you're facing.

 

One possible workaround is to create explicit address objects for the websites you want to allow through DNS filtering.  This helps in situations where the FortiGate doesn't resolve wildcard FQDN addresses preemptively.

hamidch
New Contributor

To allow a website through both the web filter and DNS filter on Fortigate running FortiOS v7.0.12, the best way is to add the website to a custom web filter category and then also add it to the DNS filter static entries. This makes sure the website is allowed by both filters. It might seem like a hassle to maintain two lists, but it ensures the website gets unblocked properly. You can also try creating a firewall policy with an address group of allowed websites, and make sure this policy is at the top of the list with web and DNS filters turned off. However, if the website is still blocked, it might be due to another rule in the list. By the way, it's like choosing the right pair of soft yoga leggings to ensure comfort and flexibility in all situations.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors