Hi all,
I have a problem, Fortinet support have been less than useful. FortiGate
We have a cloudflare Zero trust setup that stops any DNS requests to malicious sites. What I want to do is intercept these requests on the Fortigate before they get to Cloudflare.
In the past I have been manually adding eachnew site that cloudflare makes me aware of, this is time consuming. I have been on leave and returned to over 100 URLs to add to the DNS filter on the Fortigate. I was hoping to just import a csv or text file of the URLs into the Fortigate DNS filter list. Apparently this is not possible.
I have seen some talk of using a cloudflare API to do this but not sure how.
Has anyone found a way to do this.
The Stock Frotinet answer of "put in a new feature request" is laughable when solutions are needed quickly and when we all know, that feature will never get added.
I don't know why they can't have a plain text input for the list.
E.G. on our smoothwall web filter - I can click a list of blocked urls and tell it to change to text input, allowing me to paste in a whole list in one go. If smoothwall can do it, why can't Fortinet with their money and staff?
Solved! Go to Solution.
You could create a script which creates the following commands and send it via CLI on the firewall.
config dnsfilter domain-filter
edit <ID>
set name <name>
config entries
edit <ID>
set domain <domain>
set type <simple/regex/wildcard>
set action <block/allow/monitor>
set status <enable/disable>
next
end
end
You can also use the API having the example body below, using the URL and the method PUT https://FGTIP:PORT/api/v2/cmdb/dnsfilter/domain-filter/{ID}
{
"id": 4294967295,
"name": "string",
"comment": "string",
"entries": [
{
"id": 4294967295,
"domain": "string",
"type": "simple",
"action": "block",
"status": "enable"
}
]
}
You could create a script which creates the following commands and send it via CLI on the firewall.
config dnsfilter domain-filter
edit <ID>
set name <name>
config entries
edit <ID>
set domain <domain>
set type <simple/regex/wildcard>
set action <block/allow/monitor>
set status <enable/disable>
next
end
end
You can also use the API having the example body below, using the URL and the method PUT https://FGTIP:PORT/api/v2/cmdb/dnsfilter/domain-filter/{ID}
{
"id": 4294967295,
"name": "string",
"comment": "string",
"entries": [
{
"id": 4294967295,
"domain": "string",
"type": "simple",
"action": "block",
"status": "enable"
}
]
}
@funkylicious that's awesome, I was hoping there was a way to do it via cli. Thanks so much for your help. Time saved is always a win!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1843 | |
1130 | |
769 | |
447 | |
258 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.