Easiest way to allow website through web filter and DNS filter simultaneously?
We have recently switched to Fortigate. I'm trying to figure out what the best process is to unblock a website when it is blocked by both the web filter and DNS filter categories. The Fortigate is running FortiOS v7.0.12.
First idea was to use a custom web filter category to allow websites through the web filtering, but the DNS filtering still blocks the websites if they match both filters. The only option I can find would be to also enter in the website in the DNS filter static entries. This feels a bit cumbersome to have to maintain two identical lists.
My next thought was to create a firewall policy using an address group with allowed websites. I turned off the web filter and DNS filter security profiles on the policy. I also made sure the policy was at the top of the list. Despite this the traffic is still getting caught by both the web filter and DNS filter. I'm not sure why or if this is some kind of bug? I can see that the policy is matching the traffic in the logs. It's like the traffic is going through the first rule, but still being filtered by another rule that it would match further down the list.
It appears that the policy method is failing due to the Fortigate only resolving wildcard FQDN address objects when they are used. Thus, the policy that is meant to allow the traffic is skipped because the address isn't resolved yet and goes on to the next policy which blocks it. This means wildcard addresses can't be used to unblock websites from DNS filtering.
Regarding your observation that wildcard FQDN address objects aren't resolved until they're actually used in a policy, you're correct.
The FortiGate resolves the wildcard FQDN addresses when they are referenced in a policy, which might be causing the issue you're facing.
One possible workaround is to create explicit address objects for the websites you want to allow through DNS filtering. This helps in situations where the FortiGate doesn't resolve wildcard FQDN addresses preemptively.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.