Dear team,
I have DNS Filter configuration and have full license. But when configuring SDNS for fortigruad, I don't see the command to configure.
Please help me, I am integrating remote access on DNS filter
Thanks team
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you have the DNS Filter configuration with a full license and are trying to configure Secure DNS (SDNS) on FortiGate with FortiGuard but do not see the command to configure, there are a few things that could be happening:
1. FortiOS Version:
Ensure that you are using a FortiOS version that supports SDNS. Some FortiOS versions might not include certain commands for DNS filtering or SDNS.
To check your version, use the following CLI command:
bash
Copy code
get system status
This will show your FortiOS version. Ensure that it's up to date as certain features might only appear in newer versions.
2. FortiGuard DNS Filtering (SDNS) License Activation:
Make sure your FortiGuard DNS Filtering license is activated properly. You can verify that your FortiGate is licensed to use FortiGuard DNS services by checking:
#get system FortiGuard
Look for the status of "FortiGuard Web Filter" and "FortiGuard DNS Filter" to ensure they are enabled.
3. Configuring Secure DNS (SDNS) via CLI:
If you’re trying to configure SDNS specifically for FortiGuard DNS filtering, and you don’t see the command in the graphical interface, you can use the CLI. Usually, the SDNS configuration would be part of the DNS settings or the DNS filter profile setup.
Enable DNS Filtering: If not already done, go to Security Profiles → DNS Filter and make sure that the FortiGuard DNS filtering is enabled in your profile.
Configure DNS Server with SDNS: In some cases, SDNS can be manually configured in the FortiGate by defining a specific DNS server that supports SDNS (FortiGuard or others).
Use the following commands in the CLI:
config system dns
set primary <Primary DNS IP Address>
set secondary <Secondary DNS IP Address> # If available
set dns-over-tls enable # This enables DNS over TLS (SDNS)
end
If you don’t see dns-over-tls or dns-over-https in the command options, your FortiGate model or FortiOS version might not support it.
Assign DNS Filter to a Policy: After creating a DNS Filter profile (including the FortiGuard category-based filtering), apply it to a security policy. Use the following commands:
config firewall policy
edit <Policy ID>
set dnsfilter-profile "<Your DNS Filter Profile>"
next
end
4. Troubleshooting:
Command Missing in CLI: If you're sure that SDNS should be supported on your device but still don't see the command, try updating the firmware to the latest stable version of FortiOS. FortiGate frequently adds new features and commands in newer versions.
FortiGuard Connectivity: Ensure that your FortiGate can communicate with FortiGuard servers. Check the connectivity with:
diag debug rating
This will show the status of the FortiGuard server connectivity. If FortiGuard servers aren’t reachable, the SDNS feature might not function properly.
DNS Over HTTPS (DoH): If your goal is to configure DNS over HTTPS (DoH) instead of DNS over TLS (DoT), check if the option is available in your FortiOS version. If DoH support is available, you might need to specify a specific DNS over HTTPS provider.
Related link: DDNS | FortiGate / FortiOS 7.4.4 | Fortinet Document Library
Hi @Durga_Ashwath, thank your feedback
I checked and found the command any-sdns-server-ip. But when reading the document, I only saw the command sdns-server-ip for FortiOS 7.4.4. So is there a way to set SDNS with the above command?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.