Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Web filter Vs. DNS filter
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Web filter Vs. DNS filter
What is the difference? Any pro's con's to one or the other?
Why would you need DNS filtering if you're already doing web filtering?
If you do not use the FortiGate as a DNS server does DNS filter do anything?
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here a practical example :
In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.
with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).
Let say for example, you want to block seattle.org/ordering but allow seattle.org/pictures. Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to seattle.org as a whole.
web filtering filters based on url and because you will be able to block seattle.org/ordering but allow seattle.org/pictures.
Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?
What will happen to your policy rules? Does it go to allow or deny everything?
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Web Filter blocks access to websites based on the URL (fqdn) etc.
DNS Filter blocks access to resolving known bad sites so you can't even get to them if they are a part of a malicious network.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Web filter gives you more granular control over subsets of different categories, and allows different types of overrides (if using proxy mode).
If you are running web filtering in proxy mode you can override entire categories, or you can override a specific category for specific sites. For example, you may want to block the "Proxy Avoidance" category, but need to allow access to the webpages that give instructions on using your companies VPN (which might count as proxy avoidance).
Though both filters have proxy and flow mode versions, the flow mode versions are a bit different and have fewer controls. Depends on your version of FortiOS you're on as well.
DNS Filter:
Web Filter:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here a practical example :
In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.
with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).
Let say for example, you want to block seattle.org/ordering but allow seattle.org/pictures. Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to seattle.org as a whole.
web filtering filters based on url and because you will be able to block seattle.org/ordering but allow seattle.org/pictures.
Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?
What will happen to your policy rules? Does it go to allow or deny everything?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nice answer!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to clarify some points:
- You can use DNS Filter without using FortiGuard DNS servers. As long as the FortiGate sees the DNS requests (i.e. it is in-line between the DNS client and the DNS server) it can look them up using FortiGuard database to determine what action to take.
- Web Filtering can block based on URL but requires in almost every case SSL Deep Inspection which is tricky to set up and manage from a user perspective
- If FortiGate can't connect to FortiGuard your web filtering will stop working as well!
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI gfleming,
Good to know DNS Filter allow without using FortiGuard DNS servers.
However, would like understand more that why DNS filtering feature not valid in type "explicit" in policy in Proxy? Although DNS filter is enabled in feature visibility, but is not displayed (everything is there, WAF, IPS, Web, ...) but DNS filter is not present.
Do you have any idea for it?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gfleming I know this is an old post but if the DNS filter is enabled for, let us say, google.com, but the URL filter is set to allow google.com/videos, which rule would be the one enforced? Would the most restrictive rule be the one enforced? Is the DNS filter considered the most restrictive filter?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Web Filtering and DNS Filter look at completely independent protocols and so are not related to each other. DNS Filter looks at DNS traffic (port 53 and others), while Web Filtering filters your browsing traffic (443).
If you have both filters in the same rule, then naturally a browser first has to resolve a web site domain to its IP, which is done via DNS request on port 53. Therefore, the DNS filter will be triggered first - if its policy blocks the domain the browser requested resolving for - access will be blocked and Web Filter will not even see HTTPS traffic to such web site. If DNS filter allows this domain, Web Filter will kick in when it sees HTTPS/browser traffic and will do its own check - to allow or block this traffic.
P.S. Tip: For better chances of an answer - do not 'reincarnate' posts from years past, just create a new one, as 99% of the posters in the thread have left the Forums long time ago, and will not even see it.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much @Yurisk. Next time I will create a new topic for any other questions I have and for which I cannot find a direct answer in the already existing threads. I just didn't want to bloat the forum with more similarly-related topics.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Users Unable to Access the Website 45 Views
- Schedules not working after upgrading to... 41 Views
- FortiClient events no longer populate in... 156 Views
- VPN for some destinations not via... 64 Views
- New firmware on Fortianalyzer is a... 54 Views
Labels
-
FortiGate
8,502 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
Fortiswitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.