Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mymorgan
New Contributor

Fortigate DNS filter - bulk add of URLs or pointing to cloudflare maybe using APIs

Hi all,

 

I have a problem, Fortinet support have been less than useful. FortiGate 

 

We have a cloudflare Zero trust setup that stops any DNS requests to malicious sites. What I want to do is intercept these requests on the Fortigate before they get to Cloudflare.

In the past I have been manually adding eachnew site that cloudflare makes me aware of, this is time consuming. I have been on leave and returned to over 100 URLs to add to the DNS filter on the Fortigate. I was hoping to just import a csv or text file of the URLs into the Fortigate DNS filter list. Apparently this is not possible.

 

I have seen some talk of using a cloudflare API to do this but not sure how.

 

Has anyone found a way to do this.

 

The Stock Frotinet answer of "put in a new feature request" is laughable when solutions are needed quickly and when we all know, that feature will never get added.

 

I don't know why they can't have a plain text input for the list.

 

E.G. on our smoothwall web filter - I can click a list of blocked urls and tell it to change to text input, allowing me to paste in a whole list in one go. If smoothwall can do it, why can't Fortinet with their money and staff?

 

1 Solution
funkylicious
SuperUser
SuperUser

You could create a script which creates the following commands and send it via CLI on the firewall.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-DNS-filter-to-allow-block-DNS-queri...

 

config dnsfilter domain-filter
    edit <ID>
        set name <name>
        config entries
            edit <ID>
                set domain <domain>
                set type <simple/regex/wildcard>
                set action <block/allow/monitor>
                set status <enable/disable>
            next
        end
end

 

You can also use the API having the example body below, using the URL and the method PUT https://FGTIP:PORT/api/v2/cmdb/dnsfilter/domain-filter/{ID}

 

 

{
  "id": 4294967295,
  "name": "string",
  "comment": "string",
  "entries": [
    {
      "id": 4294967295,
      "domain": "string",
      "type": "simple",
      "action": "block",
      "status": "enable"
    }
  ]
}

 

 

"jack of all trades, master of none"

View solution in original post

"jack of all trades, master of none"
2 REPLIES 2
funkylicious
SuperUser
SuperUser

You could create a script which creates the following commands and send it via CLI on the firewall.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Static-DNS-filter-to-allow-block-DNS-queri...

 

config dnsfilter domain-filter
    edit <ID>
        set name <name>
        config entries
            edit <ID>
                set domain <domain>
                set type <simple/regex/wildcard>
                set action <block/allow/monitor>
                set status <enable/disable>
            next
        end
end

 

You can also use the API having the example body below, using the URL and the method PUT https://FGTIP:PORT/api/v2/cmdb/dnsfilter/domain-filter/{ID}

 

 

{
  "id": 4294967295,
  "name": "string",
  "comment": "string",
  "entries": [
    {
      "id": 4294967295,
      "domain": "string",
      "type": "simple",
      "action": "block",
      "status": "enable"
    }
  ]
}

 

 

"jack of all trades, master of none"
"jack of all trades, master of none"
mymorgan
New Contributor

@funkylicious  that's awesome, I was hoping there was a way to do it via cli. Thanks so much for your help. Time saved is always a win!

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors