Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.5 Administration Guide
    6.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Troubleshooting for DNS filter

    Troubleshooting for DNS filter

    If you have trouble with the DNS filter profile in your policy, start with the following troubleshooting steps:

    Checking the connection between the FortiGate and FortiGuard SDNS server

    You need to ensure the FortiGate can connect to the FortiGuard SDNS server. By default, the FortiGate uses UDP port 53 to connect to the SDNS server.

    To check the connection between the FortiGate and SDNS server:
    1. Verify the FortiGuard SDNS server information:
      # diagnose test application dnsproxy 3
...
FDG_SERVER:208.91.112.220:53
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=6f00, tz=-420, error_allow=0
FGD_REDIR:208.91.112.55

      The SDNS server IP address might be different depending on location (in this example, it is 208.91.112.220:53).

    2. In the management VDOM, check the communication between the FortiGate and the SDNS server: 
      #execute ping 208.91.112.220
    3. Optionally, you can check the communication using a PC on the internal network (this example uses dig).
      1. Disable the DNS filter profile so that it does not affect your connection check.
      2. Ping your ISP or a public DNS service provider's DNS server, for example, Google's public DNS server of 8.8.8.8:
        #dig @8.8.8.8 www.fortinet.com

        Or, specify the SDNS server as a DNS server:

        #dig @208.91.112.220 www.fortinet.com
      3. Verify that you can get a domain www.fortinet.com A record from the DNS server. This shows that the UDP port 53 connection path is not blocked.
        #dig @8.8.8.8 www.fortinet.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35121
;; Flags: qr rd ra; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.fortinet.com.            IN      A

;; ANSWER SECTION:
www.fortinet.com.       289     IN      CNAME   fortinet-prod4-858839915.us-west-1.elb.amazonaws.com.
fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51        IN      A       52.8.142.247
fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51        IN      A       13.56.55.78

;; Received 129 B
;; Time 2019-04-29 14:13:18 PDT
;; From 8.8.8.8@53(UDP) in 13.2 ms

    Checking the FortiGuard DNS rating service license

    The FortiGuard DNS rating service shares the license with the FortiGuard web filter, so you must have a valid web filter license for the DNS rating service to work. While the license is shared, the DNS rating service uses a separate connection mechanism from the web filter rating.

    To check the DNS rating service license in the CLI:
    1. View the DNS settings: 
      # diagnose test application dnsproxy 3
    2. Look for the FGD_DNS_SERVICE_LICENSE line and check that the license has not expired:
      FGD_DNS_SERVICE_LICENSE:
server=208.91.112.220:53, expiry=2022-10-03, expired=0, type=2
    3. Check the dns-server lines. Some dns-server lines show secure=1 ready=1. These lines show the functioning servers:

      dns-server:208.91.112.220:53 tz=-480 req=7 to=0 res=7 rt=1 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0

    Checking the FortiGate DNS filter profile configuration

    To check the DNS filter profile configuration:
    1. In FortiOS, create a local domain filter and set the Action to Redirect to Block Portal (see Local domain filter).
    2. Apply this DNS filter profile to the policy.
    3. From the client PC, perform a DNS query on this domain. If you get the profile's redirected portal address, this means that the DNS filter profile works as expected.

    Additional troubleshooting

    Use diagnose test application dnsproxy <test level> to troubleshoot further DNS proxy information, where:

    Test level

    Action

    1

    Clear DNS cache

    2

    Show statistics

    3

    Dump DNS setting

    4

    Reload FQDN

    5

    Requery FQDN

    6

    Dump FQDN

    7

    Dump DNS cache

    8

    Dump DNS database

    9

    Reload DNS database

    10

    Dump secure DNS policy/profile

    11

    Dump botnet domain

    12

    Reload secure DNS setting

    13

    Show hostname cache

    14

    Clear hostname cache

    15

    Show SDNS rating cache

    16

    Clear SDNS rating cache

    17

    Show DNS debug bit mask

    18

    Show DNS debug object members

    99

    Restart the dnsproxy worker
    To debug DNS proxy details:
    #diagnose debug application dnsproxy -1
#diagnose debug {enable | disable}
    Previous
    Next

    Troubleshooting for DNS filter

    Troubleshooting for DNS filter

    If you have trouble with the DNS filter profile in your policy, start with the following troubleshooting steps:

    Checking the connection between the FortiGate and FortiGuard SDNS server

    You need to ensure the FortiGate can connect to the FortiGuard SDNS server. By default, the FortiGate uses UDP port 53 to connect to the SDNS server.

    To check the connection between the FortiGate and SDNS server:
    1. Verify the FortiGuard SDNS server information:
      # diagnose test application dnsproxy 3
...
FDG_SERVER:208.91.112.220:53
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=6f00, tz=-420, error_allow=0
FGD_REDIR:208.91.112.55

      The SDNS server IP address might be different depending on location (in this example, it is 208.91.112.220:53).

    2. In the management VDOM, check the communication between the FortiGate and the SDNS server: 
      #execute ping 208.91.112.220
    3. Optionally, you can check the communication using a PC on the internal network (this example uses dig).
      1. Disable the DNS filter profile so that it does not affect your connection check.
      2. Ping your ISP or a public DNS service provider's DNS server, for example, Google's public DNS server of 8.8.8.8:
        #dig @8.8.8.8 www.fortinet.com

        Or, specify the SDNS server as a DNS server:

        #dig @208.91.112.220 www.fortinet.com
      3. Verify that you can get a domain www.fortinet.com A record from the DNS server. This shows that the UDP port 53 connection path is not blocked.
        #dig @8.8.8.8 www.fortinet.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35121
;; Flags: qr rd ra; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.fortinet.com.            IN      A

;; ANSWER SECTION:
www.fortinet.com.       289     IN      CNAME   fortinet-prod4-858839915.us-west-1.elb.amazonaws.com.
fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51        IN      A       52.8.142.247
fortinet-prod4-858839915.us-west-1.elb.amazonaws.com. 51        IN      A       13.56.55.78

;; Received 129 B
;; Time 2019-04-29 14:13:18 PDT
;; From 8.8.8.8@53(UDP) in 13.2 ms

    Checking the FortiGuard DNS rating service license

    The FortiGuard DNS rating service shares the license with the FortiGuard web filter, so you must have a valid web filter license for the DNS rating service to work. While the license is shared, the DNS rating service uses a separate connection mechanism from the web filter rating.

    To check the DNS rating service license in the CLI:
    1. View the DNS settings: 
      # diagnose test application dnsproxy 3
    2. Look for the FGD_DNS_SERVICE_LICENSE line and check that the license has not expired:
      FGD_DNS_SERVICE_LICENSE:
server=208.91.112.220:53, expiry=2022-10-03, expired=0, type=2
    3. Check the dns-server lines. Some dns-server lines show secure=1 ready=1. These lines show the functioning servers:

      dns-server:208.91.112.220:53 tz=-480 req=7 to=0 res=7 rt=1 secure=1 ready=1 timer=0 probe=0 failure=0 last_failed=0

    Checking the FortiGate DNS filter profile configuration

    To check the DNS filter profile configuration:
    1. In FortiOS, create a local domain filter and set the Action to Redirect to Block Portal (see Local domain filter).
    2. Apply this DNS filter profile to the policy.
    3. From the client PC, perform a DNS query on this domain. If you get the profile's redirected portal address, this means that the DNS filter profile works as expected.

    Additional troubleshooting

    Use diagnose test application dnsproxy <test level> to troubleshoot further DNS proxy information, where:

    Test level

    Action

    1

    Clear DNS cache

    2

    Show statistics

    3

    Dump DNS setting

    4

    Reload FQDN

    5

    Requery FQDN

    6

    Dump FQDN

    7

    Dump DNS cache

    8

    Dump DNS database

    9

    Reload DNS database

    10

    Dump secure DNS policy/profile

    11

    Dump botnet domain

    12

    Reload secure DNS setting

    13

    Show hostname cache

    14

    Clear hostname cache

    15

    Show SDNS rating cache

    16

    Clear SDNS rating cache

    17

    Show DNS debug bit mask

    18

    Show DNS debug object members

    99

    Restart the dnsproxy worker
    To debug DNS proxy details:
    #diagnose debug application dnsproxy -1
#diagnose debug {enable | disable}
    Previous
    Next