Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
joh2k
New Contributor III

Why is an event marked as Unhandled if DNS request has been redirected to Block Portal?

Hello,

 

We are dealing with  botnet CnC DNS related requests.

 

DNS Filter is being aplied in FortiGate so DNS requests asking to resolve malicious domains are successfully redirected to Block Portal

 

By the way, FortiAnalyzer shows corresponding events as "Unhandled".

 

Shouldn't it be automatically  marked otherwise, such as "Mitigated" ?

 

Thanks for your help,

1 Solution
akileshc
Staff
Staff

An event on a FortiGate device may be marked as "Unhandled" if a DNS request has been redirected to a block portal, because the device may not have a way to handle the redirection or may not recognize it as a valid response to the DNS request.

 

When a FortiGate device receives a DNS request, it checks its DNS cache to see if it already has a record of the requested domain name. If the domain name is not in the cache, the FortiGate device sends a DNS query to the configured DNS server. If the DNS server responds with a valid IP address, the FortiGate device will use that IP address to allow or block access to the requested resource.

 

However, if the DNS server responds with a redirection to a block portal, the FortiGate device may not recognize the response as a valid response to the DNS query. In this case, the FortiGate device may mark the event as "Unhandled" and take no further action.

 

 

 

Akilesh

View solution in original post

2 REPLIES 2
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
akileshc
Staff
Staff

An event on a FortiGate device may be marked as "Unhandled" if a DNS request has been redirected to a block portal, because the device may not have a way to handle the redirection or may not recognize it as a valid response to the DNS request.

 

When a FortiGate device receives a DNS request, it checks its DNS cache to see if it already has a record of the requested domain name. If the domain name is not in the cache, the FortiGate device sends a DNS query to the configured DNS server. If the DNS server responds with a valid IP address, the FortiGate device will use that IP address to allow or block access to the requested resource.

 

However, if the DNS server responds with a redirection to a block portal, the FortiGate device may not recognize the response as a valid response to the DNS query. In this case, the FortiGate device may mark the event as "Unhandled" and take no further action.

 

 

 

Akilesh
Labels
Top Kudoed Authors