Fortinet black logo

Cookbook

6.2.10
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.0
6.0.0
5.6.0
5.4.0

FortiGuard DNS filter for IPv6 policies

FortiGuard DNS filter for IPv6 policies

You can add DNS filter profile inspection to IPv6 policies. This includes FortiGuard DNS filtering (with a web filtering license) and portal replacement message redirect.

To apply a DNS filter profile to an IPv6 policy using the CLI:

config firewall policy6

edit 1

set name "IPV6-DNSFilter"

set uuid b1adb096-1919-51e9-05c7-87813d4e2b2a

set srcintf "port10"

set dstintf "port9"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set dnsfilter-profile "default"

set ssl-ssh-profile "protocols"

set nat enable

next

end

A new CLI variable is added to the DNS filter profile for the IPv6 address of the SDNS redirect portal, redirect-portal6:

config dnsfilter profile

edit "default"

set comment "Default dns filtering."

config domain-filter

unset domain-filter-table

end

config ftgd-dns

unset options

config filters

edit 1

set category 2

set action monitor

next

edit 2

set category 7

set action monitor

next

......

end

set log-all-domain disable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect

set block-botnet enable

set safe-search disable

set redirect-portal 0.0.0.0

set redirect-portal6 ::

next

end

After the FortiGate successfully initializes communication with the SDNS server (for the domain rating service), the following CLI command shows the default redirect portal IPv6 address:

(global) # diagnose test application dnsproxy 3

......

FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2001:cdba::3257:9652]

Previous
Next

FortiGuard DNS filter for IPv6 policies

You can add DNS filter profile inspection to IPv6 policies. This includes FortiGuard DNS filtering (with a web filtering license) and portal replacement message redirect.

To apply a DNS filter profile to an IPv6 policy using the CLI:

config firewall policy6

edit 1

set name "IPV6-DNSFilter"

set uuid b1adb096-1919-51e9-05c7-87813d4e2b2a

set srcintf "port10"

set dstintf "port9"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set dnsfilter-profile "default"

set ssl-ssh-profile "protocols"

set nat enable

next

end

A new CLI variable is added to the DNS filter profile for the IPv6 address of the SDNS redirect portal, redirect-portal6:

config dnsfilter profile

edit "default"

set comment "Default dns filtering."

config domain-filter

unset domain-filter-table

end

config ftgd-dns

unset options

config filters

edit 1

set category 2

set action monitor

next

edit 2

set category 7

set action monitor

next

......

end

set log-all-domain disable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect

set block-botnet enable

set safe-search disable

set redirect-portal 0.0.0.0

set redirect-portal6 ::

next

end

After the FortiGate successfully initializes communication with the SDNS server (for the domain rating service), the following CLI command shows the default redirect portal IPv6 address:

(global) # diagnose test application dnsproxy 3

......

FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2001:cdba::3257:9652]

Previous
Next