Fortinet Document Library

Version:

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

Troubleshooting

The Security Profiles > DNS Filter menu is missing

Go to System > Feature Visibility and enable DNS Filter.

You Configured DNS Filtering, but it is not working

Verify that DNS Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is required in order to block traffic to sites that use HTTPS).

If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column.

If the above settings are correct, verify that DNS requests are going through the policy, rather than to an internal DNS server. Also verify that proxy options and SSL/SSH inspection settings have both HTTP and HTTPS enabled and use the correct ports.

Communication with the FortiDNS server fails

Verify that the correct FortiDNS server is configured using the following diagnose command:

diag test application dnsproxy 3

The resulting output should indicate that communication with the correct FortiDNS server was established. For example:

FWF60D4615016384 # diag test application dnsproxy 3

vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1

dns64 is disabled

dns-server:208.91.112.53:53 tz=0 req=919160 to=545900 res=117880 rt=1800 secure=0 ready=1

dns-server:208.91.112.52:53 tz=0 req=913029 to=520111 res=134810 rt=6 secure=0 ready=1

dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1

dns-server:45.75.200.89:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1

vfid=0, interface=wan1, ifindex=6, recursive, dns

DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000

DNS FD: udp_s=12 udp_c=14:15 ha_c=18 unix_s=19, unix_nb_s=20, unix_nc_s=21, v6_udp_s=11, v6_udp_c=16:17

DNS FD: tcp_s=24, tcp_s6=23

FQDN: hash_size=1024, current_query=1024

DNS_DB: response_buf_sz=131072

LICENSE: expiry=2016-08-15, expired=0, type=2

FDG_SERVER:208.91.112.220:53

SERVER_LDB: gid=6d61, tz=-480

FGD_REDIR:208.91.112.55

This CLI result shows that the DNS server IP is set to the North American server, and is being accessed through port 53 (208.91.112.220:53).

Next, verify that bandwidth consuming sites are blocked, while other URLs are allowed.

Go to the CLI Console and enter the following:

diagnose sniffer packet any 'port 53' and 'host 195.8.215.138' 4

The resulting output should indicate that the IP (in this example, dailymotion.co.uk) was blocked by the FortiDNS server:

interfaces=[any]

filters=[port 53]

2.026733 172.20.121.56.59046 -> 208.91.112.220.53: udp 117

2.027316 172.20.121.56.59046 -> 45.75.200.89.53: udp 112

2.028480 172.20.121.56.59046 -> 208.91.112.220.53: udp 116

2.029591 172.20.121.56.59046 -> 208.91.112.220.53: udp 117

FortiGuard has the wrong categorization for a website

If you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-classification by going to the FortiGuard website.

Troubleshooting

The Security Profiles > DNS Filter menu is missing

Go to System > Feature Visibility and enable DNS Filter.

You Configured DNS Filtering, but it is not working

Verify that DNS Filter is enabled in a policy and SSL Inspection has been applied as needed (SSL inspection is required in order to block traffic to sites that use HTTPS).

If both settings are enabled, verify that the policy is being used for the correct traffic and that traffic is flowing by going to the policy list and viewing the Sessions column.

If the above settings are correct, verify that DNS requests are going through the policy, rather than to an internal DNS server. Also verify that proxy options and SSL/SSH inspection settings have both HTTP and HTTPS enabled and use the correct ports.

Communication with the FortiDNS server fails

Verify that the correct FortiDNS server is configured using the following diagnose command:

diag test application dnsproxy 3

The resulting output should indicate that communication with the correct FortiDNS server was established. For example:

FWF60D4615016384 # diag test application dnsproxy 3

vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1

dns64 is disabled

dns-server:208.91.112.53:53 tz=0 req=919160 to=545900 res=117880 rt=1800 secure=0 ready=1

dns-server:208.91.112.52:53 tz=0 req=913029 to=520111 res=134810 rt=6 secure=0 ready=1

dns-server:208.91.112.220:53 tz=-480 req=0 to=0 res=0 rt=0 secure=1 ready=1

dns-server:45.75.200.89:53 tz=0 req=0 to=0 res=0 rt=0 secure=1 ready=1

vfid=0, interface=wan1, ifindex=6, recursive, dns

DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000

DNS FD: udp_s=12 udp_c=14:15 ha_c=18 unix_s=19, unix_nb_s=20, unix_nc_s=21, v6_udp_s=11, v6_udp_c=16:17

DNS FD: tcp_s=24, tcp_s6=23

FQDN: hash_size=1024, current_query=1024

DNS_DB: response_buf_sz=131072

LICENSE: expiry=2016-08-15, expired=0, type=2

FDG_SERVER:208.91.112.220:53

SERVER_LDB: gid=6d61, tz=-480

FGD_REDIR:208.91.112.55

This CLI result shows that the DNS server IP is set to the North American server, and is being accessed through port 53 (208.91.112.220:53).

Next, verify that bandwidth consuming sites are blocked, while other URLs are allowed.

Go to the CLI Console and enter the following:

diagnose sniffer packet any 'port 53' and 'host 195.8.215.138' 4

The resulting output should indicate that the IP (in this example, dailymotion.co.uk) was blocked by the FortiDNS server:

interfaces=[any]

filters=[port 53]

2.026733 172.20.121.56.59046 -> 208.91.112.220.53: udp 117

2.027316 172.20.121.56.59046 -> 45.75.200.89.53: udp 112

2.028480 172.20.121.56.59046 -> 208.91.112.220.53: udp 116

2.029591 172.20.121.56.59046 -> 208.91.112.220.53: udp 117

FortiGuard has the wrong categorization for a website

If you believe a website has been placed in the wrong category by FortiGuard, you can submit the URL for re-classification by going to the FortiGuard website.