What is the difference? Any pro's con's to one or the other?
Why would you need DNS filtering if you're already doing web filtering?
If you do not use the FortiGate as a DNS server does DNS filter do anything?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Here a practical example :
In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.
with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).
Let say for example, you want to block seattle.org/ordering but allow seattle.org/pictures. Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to seattle.org as a whole.
web filtering filters based on url and because you will be able to block seattle.org/ordering but allow seattle.org/pictures.
Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?
What will happen to your policy rules? Does it go to allow or deny everything?
Web Filter blocks access to websites based on the URL (fqdn) etc.
DNS Filter blocks access to resolving known bad sites so you can't even get to them if they are a part of a malicious network.
Mike Pruett
Web filter gives you more granular control over subsets of different categories, and allows different types of overrides (if using proxy mode).
If you are running web filtering in proxy mode you can override entire categories, or you can override a specific category for specific sites. For example, you may want to block the "Proxy Avoidance" category, but need to allow access to the webpages that give instructions on using your companies VPN (which might count as proxy avoidance).
Though both filters have proxy and flow mode versions, the flow mode versions are a bit different and have fewer controls. Depends on your version of FortiOS you're on as well.
DNS Filter:
Web Filter:
Here a practical example :
In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.
with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).
Let say for example, you want to block seattle.org/ordering but allow seattle.org/pictures. Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to seattle.org as a whole.
web filtering filters based on url and because you will be able to block seattle.org/ordering but allow seattle.org/pictures.
Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?
What will happen to your policy rules? Does it go to allow or deny everything?
nice answer!
Just to clarify some points:
- You can use DNS Filter without using FortiGuard DNS servers. As long as the FortiGate sees the DNS requests (i.e. it is in-line between the DNS client and the DNS server) it can look them up using FortiGuard database to determine what action to take.
- Web Filtering can block based on URL but requires in almost every case SSL Deep Inspection which is tricky to set up and manage from a user perspective
- If FortiGate can't connect to FortiGuard your web filtering will stop working as well!
HI gfleming,
Good to know DNS Filter allow without using FortiGuard DNS servers.
However, would like understand more that why DNS filtering feature not valid in type "explicit" in policy in Proxy? Although DNS filter is enabled in feature visibility, but is not displayed (everything is there, WAF, IPS, Web, ...) but DNS filter is not present.
Do you have any idea for it?
Thanks
Hi @gfleming I know this is an old post but if the DNS filter is enabled for, let us say, google.com, but the URL filter is set to allow google.com/videos, which rule would be the one enforced? Would the most restrictive rule be the one enforced? Is the DNS filter considered the most restrictive filter?
Web Filtering and DNS Filter look at completely independent protocols and so are not related to each other. DNS Filter looks at DNS traffic (port 53 and others), while Web Filtering filters your browsing traffic (443).
If you have both filters in the same rule, then naturally a browser first has to resolve a web site domain to its IP, which is done via DNS request on port 53. Therefore, the DNS filter will be triggered first - if its policy blocks the domain the browser requested resolving for - access will be blocked and Web Filter will not even see HTTPS traffic to such web site. If DNS filter allows this domain, Web Filter will kick in when it sees HTTPS/browser traffic and will do its own check - to allow or block this traffic.
P.S. Tip: For better chances of an answer - do not 'reincarnate' posts from years past, just create a new one, as 99% of the posters in the thread have left the Forums long time ago, and will not even see it.
Thank you very much @Yurisk. Next time I will create a new topic for any other questions I have and for which I cannot find a direct answer in the already existing threads. I just didn't want to bloat the forum with more similarly-related topics.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.