dnsfilter profile
Use this command to configure DNS filter profiles in order to utilize FortiGuard category based filters, determine logging options, set the blocked-redirect portal, block botnet C&C sites, and implement safe search limitations.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
New external block list option to configure one or more external domain block lists. |
config dnsfilter profile edit {name} # Configure DNS domain filter profiles. set name {string} Profile name. size[35] set comment {string} Comment. size[255] config domain-filter set domain-filter-table {integer} DNS domain filter table ID. range[0-4294967295] - datasource(s): dnsfilter.domain-filter.id config ftgd-dns set options {error-allow | ftgd-disable} FortiGuard DNS filter options. error-allow Allow all domains when FortiGuard DNS servers fail. ftgd-disable Disable FortiGuard DNS domain rating. config filters edit {id} # FortiGuard DNS domain filters. set id {integer} ID number. range[0-255] set category {integer} Category number. range[0-255] set action {block | monitor} Action to take for DNS requests matching the category. block Block DNS requests matching the category. monitor Allow DNS requests matching the category and log the result. set log {enable | disable} Enable/disable DNS filter logging for this DNS profile. next set log-all-domain {enable | disable} Enable/disable logging of all domains visited (detailed DNS logging). set sdns-ftgd-err-log {enable | disable} Enable/disable FortiGuard SDNS rating error logging. set sdns-domain-log {enable | disable} Enable/disable domain filtering and botnet domain logging. set block-action {block | redirect} Action to take for blocked domains. block Return NXDOMAIN for blocked domains. redirect Redirect blocked domains to SDNS portal. set redirect-portal {ipv4 address} IP address of the SDNS redirect portal. set block-botnet {disable | enable} Enable/disable blocking botnet C&C DNS lookups. set safe-search {disable | enable} Enable/disable Google, Bing, and YouTube safe search. set youtube-restrict {strict | moderate} Set safe search for YouTube restriction level. strict Enable strict safe seach for YouTube. moderate Enable moderate safe search for YouTube. config external-ip-blocklist edit {name} # One or more external IP block lists. set name {string} External domain block list name. size[64] - datasource(s): system.external-resource.name next next end
Additional information
The following section is for those options that require additional explanation.
block-action {block | redirect}
Either return NXDOMAIN or redirect blocked domains to an SDNS portal (set by default).
block-botnet {enable | disable}
Enable or disable (by default) blocking DNS requests to known botnet C&C sites. Note that an AntiVirus subscription is required to receive up-to-date botnet package updates.
log-all-domain {enable | disable}
Enable or disable (by default) logging of all domains visited.
redirect-portal <ip>
IP address of the SDNS blocked-redirect portal page. The default is set to 0.0.0.0
, which uses the FortiGuard default (208.91.112.55).
safe-search {enable | disable}
Enable or disable (by default) enforcement of "Safe search" on Google, Bing, and YouTube.
sdns-domain-log {enable | disable}
Enable (by default) or disable logging of domain filtering and botnet domains.
sdns-ftgd-err-log {enable | disable}
Enable (by default) or disable logging of FortiGuard SDNS rating errors.
youtube-restrict {strict | moderate}
Note: This entry is only available when safe-search
is set to enable
.
Enable either strict (set by default) or moderate safe search for Youtube.
config domain-filter
Use this configuration method to assign a domain filter to this DNS profile.
domain-filter-table <name>
Name of the domain filter to assign to this DNS profile, as configured under config dnsfilter domain-filter.
config ftgd-dns
Use this configuration method to add FortiGuard DNS options.
options {error-allow | ftgd-disable}
Either allow all domains when FortiGuard SDNS servers fail, or disable the FortiGuard SDNS domain rating.
config filters
Configure FortiGuard filter categories, actions, and log options.
category <id>
Assign FortiGuard categories to the filter. Enter set category ?
to view all available categories.
action {block | monitor}
Either block or monitor (set by default) when matching this filter's categories.
log {enable | disable}
Note: This entry is only available when action
is set to block
.
Enable (by default) or disable logging of blocked categories.