Fortinet black logo

Cookbook

FortiGuard DNS filter for IPv6 policies

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:725043
Download PDF

FortiGuard DNS filter for IPv6 policies

You can add DNS filter profile inspection to IPv6 policies. This includes FortiGuard DNS filtering (with a web filtering license) and portal replacement message redirect.

To apply a DNS filter profile to an IPv6 policy using the CLI:

config firewall policy6

edit 1

set name "IPV6-DNSFilter"

set uuid b1adb096-1919-51e9-05c7-87813d4e2b2a

set srcintf "port10"

set dstintf "port9"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set dnsfilter-profile "default"

set ssl-ssh-profile "protocols"

set nat enable

next

end

A new CLI variable is added to the DNS filter profile for the IPv6 address of the SDNS redirect portal, redirect-portal6:

config dnsfilter profile

edit "default"

set comment "Default dns filtering."

config domain-filter

unset domain-filter-table

end

config ftgd-dns

unset options

config filters

edit 1

set category 2

set action monitor

next

edit 2

set category 7

set action monitor

next

......

end

set log-all-domain disable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect

set block-botnet enable

set safe-search disable

set redirect-portal 0.0.0.0

set redirect-portal6 ::

next

end

After the FortiGate successfully initializes communication with the SDNS server (for the domain rating service), the following CLI command shows the default redirect portal IPv6 address:

(global) # diagnose test application dnsproxy 3

......

FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2001:cdba::3257:9652]

FortiGuard DNS filter for IPv6 policies

You can add DNS filter profile inspection to IPv6 policies. This includes FortiGuard DNS filtering (with a web filtering license) and portal replacement message redirect.

To apply a DNS filter profile to an IPv6 policy using the CLI:

config firewall policy6

edit 1

set name "IPV6-DNSFilter"

set uuid b1adb096-1919-51e9-05c7-87813d4e2b2a

set srcintf "port10"

set dstintf "port9"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set dnsfilter-profile "default"

set ssl-ssh-profile "protocols"

set nat enable

next

end

A new CLI variable is added to the DNS filter profile for the IPv6 address of the SDNS redirect portal, redirect-portal6:

config dnsfilter profile

edit "default"

set comment "Default dns filtering."

config domain-filter

unset domain-filter-table

end

config ftgd-dns

unset options

config filters

edit 1

set category 2

set action monitor

next

edit 2

set category 7

set action monitor

next

......

end

set log-all-domain disable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect

set block-botnet enable

set safe-search disable

set redirect-portal 0.0.0.0

set redirect-portal6 ::

next

end

After the FortiGate successfully initializes communication with the SDNS server (for the domain rating service), the following CLI command shows the default redirect portal IPv6 address:

(global) # diagnose test application dnsproxy 3

......

FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:[2001:cdba::3257:9652]