Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cskeller07
New Contributor

Created on ‎02-03-2017 09:43 AM

Web filter Vs. DNS filter

What is the difference?  Any pro's con's to one or the other?

 

Why would you need DNS filtering if you're already doing web filtering?

 

If you do not use the FortiGate as a DNS server does DNS filter do anything?

72675
0 Kudos
1 Solution
tititech
New Contributor
In response to tanr

Created on ‎03-23-2018 07:53 AM

Here a practical example :

In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.

with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).

Let say for example, you want to block  seattle.org/ordering but allow seattle.org/pictures. Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to seattle.org as a whole.

 

web filtering filters based on url and because you will be able to block seattle.org/ordering but allow seattle.org/pictures.

 

Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?

What will happen to your policy rules? Does it go to allow or deny everything?

 

 

 

View solution in original post

11844
11 REPLIES 11
MikePruett
Valued Contributor

Created on ‎02-16-2017 07:54 AM

Web Filter blocks access to websites based on the URL (fqdn) etc.

 

DNS Filter blocks access to resolving known bad sites so you can't even get to them if they are a part of a malicious network.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

11360
tanr
Valued Contributor II
In response to MikePruett

Created on ‎02-16-2017 10:07 AM

Web filter gives you more granular control over subsets of different categories, and allows different types of overrides (if using proxy mode).

 

If you are running web filtering in proxy mode you can override entire categories, or you can override a specific category for specific sites.  For example, you may want to block the "Proxy Avoidance" category, but need to allow access to the webpages that give instructions on using your companies VPN (which might count as proxy avoidance).

 

Though both filters have proxy and flow mode versions, the flow mode versions are a bit different and have fewer controls.  Depends on your version of FortiOS you're on as well.

 

DNS Filter:

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/DNS%20Filter/dns... 

Web Filter:

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Web_Filter/web_f...

 

11360
0 Kudos
tititech
New Contributor
In response to tanr

Created on ‎03-23-2018 07:53 AM

Here a practical example :

In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.

with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).

Let say for example, you want to block  seattle.org/ordering but allow seattle.org/pictures. Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to seattle.org as a whole.

 

web filtering filters based on url and because you will be able to block seattle.org/ordering but allow seattle.org/pictures.

 

Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?

What will happen to your policy rules? Does it go to allow or deny everything?

 

 

 

11845
Killer_Bee
New Contributor
In response to tititech

Created on ‎01-24-2023 04:35 AM

nice answer!

3757
0 Kudos
gfleming
Staff
Staff
In response to tititech

Created on ‎01-24-2023 09:55 AM

Just to clarify some points:

- You can use DNS Filter without using FortiGuard DNS servers. As long as the FortiGate sees the DNS requests (i.e. it is in-line between the DNS client and the DNS server) it can look them up using FortiGuard database to determine what action to take.

 

- Web Filtering can block based on URL but requires in almost every case SSL Deep Inspection which is tricky to set up and manage from a user perspective

 

- If FortiGate can't connect to FortiGuard your web filtering will stop working as well!

Cheers,
Graham
3745
0 Kudos
ck8882
New Contributor
In response to gfleming

Created on ‎08-18-2023 07:10 AM

HI gfleming,

 

Good to know DNS Filter allow without using FortiGuard DNS servers.

 

However, would like understand more that why DNS filtering feature not valid in type "explicit" in policy in Proxy? Although DNS filter is enabled in feature visibility, but is not displayed (everything is there, WAF, IPS, Web, ...) but DNS filter is not present.

 

Do you have any idea for it?

 

Thanks

 

549
0 Kudos
fjulianom
New Contributor III
In response to tanr

Created on ‎03-09-2022 03:37 AM

Hi everyone,

 

Old post but I am wondering the same. If I understand well, Web filter gives you more control over the things you can allow or block, in addition you don't need to use the FortiGuard DNS servers, so you don't have this limitation. Then, my question is, why do you need DNS filter if you can do the same or better with Web filter? Any example?

 

Regards,

Julián

8847
0 Kudos
athman8
New Contributor

Created on ‎05-04-2018 04:14 AM

I've been tasked with implementing a solution for web filtering and web usage reporting and so I thought I'd look at something like OpenDNS Umbrella to throw in that DNS layer protection as well. I've done the demo, I've read the spec sheets, and I'm fairly satisfied with the results, especially given as our company is only 300 users dense. Price is ok.......My question is: Is there a better (and easy to implement/manage) solution for web filtering/usage reporting out there (besides Websense -- been there done that) that may or may not also cover DNS layer protection?

11360
andreotta
New Contributor
In response to athman8

Created on ‎06-14-2018 11:37 AM

Talking about the DNSFilter, are there separate logs to show it working? Or are logged with the webfilter logs ?

11360
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.