We're noticing this problem across multiple clients this morning. Any users using Internet access policies with a DNS Filter profile enabled are blocked from accessing the Internet. The DNS Query logs show constant failures with:
[ul]The FortiGuard page shows two green "check" status indicators and "diag debug rating" doesn't show any obvious errors.
This is not a config problem. This has happened simultaneously across multiple FortiGates with known good working configs and no recent config changes. Changing the FortiGuard protocol and port between UDP and HTTPS, 53, 443 and 8888 doesn't seem to make a difference. The only solution is to either remove the DNS Filter profile from the policies or set "Allow DNS requests when a rating error occurs" to enabled in the DNS Filter profiles - then traffic starts flowing again.
This seems pretty clearly to be a back-end FortiGuard DNS problem. Anyone else seeing this? Any official acknowledgement of any FortiGuard DNS problems?
Russ
NSE7
We have, same description.
Temp fix for us was to disengage DNS filter component on the IPv4 policy referenced in the log entry.
The problem resolved itself for us at around 12:41 PM Pacific according to my DNS Query logs:
12:41:15 - ERROR- "Message: A rating error occurs" (last error)
12:41:25 - OK - "Message: Domain belongs to a denied category in policy" (no errors from this point forward)
Russ
NSE7
We had the same issue the last few days, the following finally got DNS Filtering working again.
config system fortiguard set fortiguard-anycast disable set protocol udp set port 8888 set sdns-server-ip 208.91.112.220 end
Fortigate 6.4.1
x3
Had the same issue on FortigateVM running FortiOS 6.4.1 and on a non administrative vdom, in this case "set source-ip" is needed
config system fortiguard set port 8888 set fortiguard-anycast disable set sdns-server-ip "208.91.112.220" set source-ip 138.118.8.4
Just to confirm that solved my case too - browsing slowness due to DNS Filtering high response times. Disabled anycast, this automatically caused additional 4 Fortiguard IPs to appear in the list.
The default IP of 172.243.138.221 was showing 450 msec response time in Network -> DNS. After disabling anycast, the best server IP gives just 40 msec!
Thx for the pointer.
FGT 200E 6.4.4
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.