Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.2.1
Copy Link

Configure DNS domain filter profiles.

  config dnsfilter profile
      Description: Configure DNS domain filter profiles.
      edit <name>
          set comment {var-string}
          config domain-filter
              Description: Domain filter settings.
              set domain-filter-table {integer}
          end
          config ftgd-dns
              Description: FortiGuard DNS Filter settings.
              set options {option1}, {option2}, ...
              config filters
                  Description: FortiGuard DNS domain filters.
                  edit <id>
                      set category {integer}
                      set action [block|monitor]
                      set log [enable|disable]
                  next
              end
          end
          set log-all-domain [enable|disable]
          set sdns-ftgd-err-log [enable|disable]
          set sdns-domain-log [enable|disable]
          set block-action [block|redirect]
          set redirect-portal {ipv4-address}
          set redirect-portal6 {ipv6-address}
          set block-botnet [disable|enable]
          set safe-search [disable|enable]
          set youtube-restrict [strict|moderate]
          set external-ip-blocklist <name1>, <name2>, ...
          config dns-translation
              Description: DNS translation settings.
              edit <id>
                  set src {ipv4-address}
                  set dst {ipv4-address}
                  set netmask {ipv4-netmask}
                  set status [enable|disable]
              next
          end
      next
  end

config dnsfilter profile

Parameter Name Description Type Size
comment Comment. var-string Maximum length: 255
log-all-domain Enable/disable logging of all domains visited (detailed DNS logging).
enable: Enable logging of all domains visited.
disable: Disable logging of all domains visited.
option -
sdns-ftgd-err-log Enable/disable FortiGuard SDNS rating error logging.
enable: Enable FortiGuard SDNS rating error logging.
disable: Disable FortiGuard SDNS rating error logging.
option -
sdns-domain-log Enable/disable domain filtering and botnet domain logging.
enable: Enable domain filtering and botnet domain logging.
disable: Disable domain filtering and botnet domain logging.
option -
block-action Action to take for blocked domains.
block: Return NXDOMAIN for blocked domains.
redirect: Redirect blocked domains to SDNS portal.
option -
redirect-portal IPv4 address of the SDNS redirect portal. ipv4-address Not Specified
redirect-portal6 IPv6 address of the SDNS redirect portal. ipv6-address Not Specified
block-botnet Enable/disable blocking botnet C&C DNS lookups.
disable: Disable blocking botnet C&C DNS lookups.
enable: Enable blocking botnet C&C DNS lookups.
option -
safe-search Enable/disable Google, Bing, and YouTube safe search.
disable: Disable Google, Bing, and YouTube safe search.
enable: Enable Google, Bing, and YouTube safe search.
option -
youtube-restrict Set safe search for YouTube restriction level.
strict: Enable strict safe seach for YouTube.
moderate: Enable moderate safe search for YouTube.
option -
external-ip-blocklist <name> One or more external IP block lists.
External domain block list name.
string Maximum length: 79

config domain-filter

Parameter Name Description Type Size
domain-filter-table DNS domain filter table ID. integer Minimum value: 0 Maximum value: 4294967295

config ftgd-dns

Parameter Name Description Type Size
options FortiGuard DNS filter options.
error-allow: Allow all domains when FortiGuard DNS servers fail.
ftgd-disable: Disable FortiGuard DNS domain rating.
option -

config filters

Parameter Name Description Type Size
category Category number. integer Minimum value: 0 Maximum value: 255
action Action to take for DNS requests matching the category.
block: Block DNS requests matching the category.
monitor: Allow DNS requests matching the category and log the result.
option -
log Enable/disable DNS filter logging for this DNS profile.
enable: Enable DNS filter logging.
disable: Disable DNS filter logging.
option -

config dns-translation

Parameter Name Description Type Size
src IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst. ipv4-address Not Specified
dst IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src. ipv4-address Not Specified
netmask If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst. ipv4-netmask Not Specified
status Enable/disable this DNS translation entry.
enable: Enable this DNS translation.
disable: Disable this DNS translation.
option -

Configure DNS domain filter profiles.

  config dnsfilter profile
      Description: Configure DNS domain filter profiles.
      edit <name>
          set comment {var-string}
          config domain-filter
              Description: Domain filter settings.
              set domain-filter-table {integer}
          end
          config ftgd-dns
              Description: FortiGuard DNS Filter settings.
              set options {option1}, {option2}, ...
              config filters
                  Description: FortiGuard DNS domain filters.
                  edit <id>
                      set category {integer}
                      set action [block|monitor]
                      set log [enable|disable]
                  next
              end
          end
          set log-all-domain [enable|disable]
          set sdns-ftgd-err-log [enable|disable]
          set sdns-domain-log [enable|disable]
          set block-action [block|redirect]
          set redirect-portal {ipv4-address}
          set redirect-portal6 {ipv6-address}
          set block-botnet [disable|enable]
          set safe-search [disable|enable]
          set youtube-restrict [strict|moderate]
          set external-ip-blocklist <name1>, <name2>, ...
          config dns-translation
              Description: DNS translation settings.
              edit <id>
                  set src {ipv4-address}
                  set dst {ipv4-address}
                  set netmask {ipv4-netmask}
                  set status [enable|disable]
              next
          end
      next
  end

config dnsfilter profile

Parameter Name Description Type Size
comment Comment. var-string Maximum length: 255
log-all-domain Enable/disable logging of all domains visited (detailed DNS logging).
enable: Enable logging of all domains visited.
disable: Disable logging of all domains visited.
option -
sdns-ftgd-err-log Enable/disable FortiGuard SDNS rating error logging.
enable: Enable FortiGuard SDNS rating error logging.
disable: Disable FortiGuard SDNS rating error logging.
option -
sdns-domain-log Enable/disable domain filtering and botnet domain logging.
enable: Enable domain filtering and botnet domain logging.
disable: Disable domain filtering and botnet domain logging.
option -
block-action Action to take for blocked domains.
block: Return NXDOMAIN for blocked domains.
redirect: Redirect blocked domains to SDNS portal.
option -
redirect-portal IPv4 address of the SDNS redirect portal. ipv4-address Not Specified
redirect-portal6 IPv6 address of the SDNS redirect portal. ipv6-address Not Specified
block-botnet Enable/disable blocking botnet C&C DNS lookups.
disable: Disable blocking botnet C&C DNS lookups.
enable: Enable blocking botnet C&C DNS lookups.
option -
safe-search Enable/disable Google, Bing, and YouTube safe search.
disable: Disable Google, Bing, and YouTube safe search.
enable: Enable Google, Bing, and YouTube safe search.
option -
youtube-restrict Set safe search for YouTube restriction level.
strict: Enable strict safe seach for YouTube.
moderate: Enable moderate safe search for YouTube.
option -
external-ip-blocklist <name> One or more external IP block lists.
External domain block list name.
string Maximum length: 79

config domain-filter

Parameter Name Description Type Size
domain-filter-table DNS domain filter table ID. integer Minimum value: 0 Maximum value: 4294967295

config ftgd-dns

Parameter Name Description Type Size
options FortiGuard DNS filter options.
error-allow: Allow all domains when FortiGuard DNS servers fail.
ftgd-disable: Disable FortiGuard DNS domain rating.
option -

config filters

Parameter Name Description Type Size
category Category number. integer Minimum value: 0 Maximum value: 255
action Action to take for DNS requests matching the category.
block: Block DNS requests matching the category.
monitor: Allow DNS requests matching the category and log the result.
option -
log Enable/disable DNS filter logging for this DNS profile.
enable: Enable DNS filter logging.
disable: Disable DNS filter logging.
option -

config dns-translation

Parameter Name Description Type Size
src IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst. ipv4-address Not Specified
dst IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src. ipv4-address Not Specified
netmask If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst. ipv4-netmask Not Specified
status Enable/disable this DNS translation entry.
enable: Enable this DNS translation.
disable: Disable this DNS translation.
option -