Fortinet Document Library

Version:


Table of Contents

Cookbook

6.2.0
Download PDF
Copy Link

How to configure and apply a DNS filter profile

To create or configure DNS Filter profile in the GUI:
  1. Go to Security Profiles > DNS Filter.
  2. You can modify the default DNS Filter and enable the options you want or you can click + at the top right to create a new DNS Filter.

To create or configure DNS Filter profile in the CLI:
config dnsfilter profile
    edit "demo"
        set comment ''
        config domain-filter
            unset domain-filter-table
        end
        config ftgd-dns
            set options error-allow
            config filters
                edit 2
                    set category 2
                    set action monitor
                next
                edit 7
                    set category 7
                    set action block
                next
                ...
                edit 22
                    set category 0
                    set action monitor
                next
            end
        end
        set log-all-domain enable
        set sdns-ftgd-err-log enable
        set sdns-domain-log enable
        set block-action redirect
        set block-botnet enable
        set safe-search enable
        set redirect-portal 93.184.216.34
        set redirect-portal6 ::
        set youtube-restrict strict
    next
end

After you have created the DNS Filter profile, you can apply it to the policy. DNS filters also support IPv6 policies.

To apply DNS Filter profile to the policy in the GUI:
  1. Go to Policy & Objects IPv4 Policy or IPv6 Policy.
  2. In the Security Profiles section, enable DNS Filter and select the DNS filter.

To apply DNS Filter profile to the policy in the CLI:
config firewall policy
    edit 1
        set name "Demo"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set fsso disable
        set dnsfilter-profile "demo"  <<<====
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection"
        set nat enable
    next
end

How to configure and apply a DNS filter profile

To create or configure DNS Filter profile in the GUI:
  1. Go to Security Profiles > DNS Filter.
  2. You can modify the default DNS Filter and enable the options you want or you can click + at the top right to create a new DNS Filter.

To create or configure DNS Filter profile in the CLI:
config dnsfilter profile
    edit "demo"
        set comment ''
        config domain-filter
            unset domain-filter-table
        end
        config ftgd-dns
            set options error-allow
            config filters
                edit 2
                    set category 2
                    set action monitor
                next
                edit 7
                    set category 7
                    set action block
                next
                ...
                edit 22
                    set category 0
                    set action monitor
                next
            end
        end
        set log-all-domain enable
        set sdns-ftgd-err-log enable
        set sdns-domain-log enable
        set block-action redirect
        set block-botnet enable
        set safe-search enable
        set redirect-portal 93.184.216.34
        set redirect-portal6 ::
        set youtube-restrict strict
    next
end

After you have created the DNS Filter profile, you can apply it to the policy. DNS filters also support IPv6 policies.

To apply DNS Filter profile to the policy in the GUI:
  1. Go to Policy & Objects IPv4 Policy or IPv6 Policy.
  2. In the Security Profiles section, enable DNS Filter and select the DNS filter.

To apply DNS Filter profile to the policy in the CLI:
config firewall policy
    edit 1
        set name "Demo"
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set fsso disable
        set dnsfilter-profile "demo"  <<<====
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection"
        set nat enable
    next
end