Fortinet black logo

New Features

FortiGuard DNS Filter

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:790815
Download PDF

FortiGuard DNS Filter

This feature adds DNS profile inspection to IPv6 policies. This includes FortiGuard DNS filtering (with a web filtering license), and portal replacement message redirect.

To apply a DNS Filter profile to an IPv6 policy using the CLI:

config firewall policy6

edit 1

set name "IPV6-DNSFilter"

set uuid b1adb096-1919-51e9-05c7-87813d4e2b2a

set srcintf "port10"

set dstintf "port9"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set dnsfilter-profile "default"

set ssl-ssh-profile "protocols"

set nat enable

next

end

A new CLI variable is added to the DNS filter profile for the IPv6 address of the SDNS redirect portal: redirect-portal6

config dnsfilter profile

edit "default"

set comment "Default dns filtering."

config domain-filter

unset domain-filter-table

end

config ftgd-dns

unset options

config filters

edit 1

set category 2

set action monitor

next

edit 2

set category 7

set action monitor

next

......

end

set log-all-domain disable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect

set block-botnet enable

set safe-search disable

set redirect-portal 0.0.0.0

set redirect-portal6 ::

next

end

After the FortiGate has successfully initialized communication with the SDNS server (for domain rating service), the following CLI command will show the default redirect portal IPv6 address:

(global) # diag test app dnsproxy 3

......

FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2001:cdba::3257:9652]

FortiGuard DNS Filter

This feature adds DNS profile inspection to IPv6 policies. This includes FortiGuard DNS filtering (with a web filtering license), and portal replacement message redirect.

To apply a DNS Filter profile to an IPv6 policy using the CLI:

config firewall policy6

edit 1

set name "IPV6-DNSFilter"

set uuid b1adb096-1919-51e9-05c7-87813d4e2b2a

set srcintf "port10"

set dstintf "port9"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set dnsfilter-profile "default"

set ssl-ssh-profile "protocols"

set nat enable

next

end

A new CLI variable is added to the DNS filter profile for the IPv6 address of the SDNS redirect portal: redirect-portal6

config dnsfilter profile

edit "default"

set comment "Default dns filtering."

config domain-filter

unset domain-filter-table

end

config ftgd-dns

unset options

config filters

edit 1

set category 2

set action monitor

next

edit 2

set category 7

set action monitor

next

......

end

set log-all-domain disable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect

set block-botnet enable

set safe-search disable

set redirect-portal 0.0.0.0

set redirect-portal6 ::

next

end

After the FortiGate has successfully initialized communication with the SDNS server (for domain rating service), the following CLI command will show the default redirect portal IPv6 address:

(global) # diag test app dnsproxy 3

......

FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2001:cdba::3257:9652]