Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luca1994
New Contributor III

Fortigate Manage BlackList

Hello team,

 

I wanted to know what is the best method to manage fqdn to be blacklisted. Basically, is it better to use an ad hoc web filter profile or to create fqnd groups with wildcards?

My goal is to block specific fqdn for everyone globally.

 

Thanks for the support
BR

1 Solution
AEK
Honored Contributor

Hello

Enable All traffic log in the related policy, then check in the traffic log. You should find there traffic log witch client IP as source, DNS server IP as destination, and DNS as protocol/service.

AEK

View solution in original post

AEK
14 REPLIES 14
AEK
Honored Contributor

Hello

When using FQDN address with wildcard you have to know that FortiGate must see the DNS requests of your clients, otherwise it can't associate a FQDN with an IP. This is because an address such "*.domain.com" is not resolved until you replace the "*" with a subdomain. Also your clients must use clear DNS, not encrypted.

AEK
AEK
luca1994
New Contributor III

Hello AEK,

 

"FortiGate must see the DNS requests of your clients", I do this with a policy?

 

BR

 

 

luca1994
New Contributor III

After creating a Wildcard FQDN, it will show an Unresolved FQDN when hovered. I have generated traffic from client with nslookup but fqdn on the firewall remain unresolved.

 

Thanks

BR

AEK
Honored Contributor

Hi Luca

Yes, FGT must see DNS traffic in order to resolve wildcard FQDN address. No special policy required for this.

But in case your web browser uses SSL DNS then it will not work.

Try this to understand better:

  • Create policy to deny *.domain.com
  • From CLI try ping the "IP" of www.domain.com from your internal host without using fqdn
  • The ping will be successful, because so far FGT can't know that this IP is associated to that FQDN
  • Now ping www.domain.com by FQDN from the internal host
  • The ping will be blocked because FGT could see the association via DNS resolution
  • Now ping again the IP address.It will be blocked as well
AEK
AEK
luca1994
New Contributor III

Thank yuo AEK.

Create policy to deny *.drpbox.com
From CLI try ping the "IP" of www.dropbox.com from my internal host without using fqdn and then I ping www.dropbox.com by FQDN
The ping will be NOT blocked because FGT show unresolved again.

Help please. I have search on google but workaround not function.

Many thanks

AEK
Honored Contributor

I guess your DNS traffic doesn't transit through the FortiGate.

AEK
AEK
luca1994
New Contributor III

in fact now that I think about it the dns servers have a different gateway from the client I am using to do the tests. I need to have the fortigate see the DNS traffic by going to make a rule on the gateway of the dns server that allows dns traffic to pass through to the fortigate, correct? I have to make the rule at the contratio as well, from the fortigate true the DNS servers?

 

Thanks for the support

BR

luca1994
New Contributor III

Hello @AEK ,
 
thanks for the response.
 

Now I have a test client that has this network configuration:

 

IP: 192.168.x.x/24

GW: ip address of a Fortigate firewall interface.

DNS: in another vlan whose gateway of this vlan is not the Fortigate firewall. In addition, an mpls circuit is traversed to reach this vlan.

 

In this scenario I have the problem "unresolved FQDN"

 

I thank you so much for the support.

BR

 

 

 
luca1994
New Contributor III

does anyone have any suggestions ?

 

Thanks

BR

Labels
Top Kudoed Authors