config dnsfilter profile

Configure DNS domain filter profile.

config dnsfilter profile
    Description: Configure DNS domain filter profile.
    edit <name>
        set block-action [block|redirect|...]
        set block-botnet [disable|enable]
        set comment {var-string}
        config dns-translation
            Description: DNS translation settings.
            edit <id>
                set addr-type [ipv4|ipv6]
                set dst {ipv4-address}
                set dst6 {ipv6-address}
                set netmask {ipv4-netmask}
                set prefix {integer}
                set src {ipv4-address}
                set src6 {ipv6-address}
                set status [enable|disable]
            next
        end
        config domain-filter
            Description: Domain filter settings.
            set domain-filter-table {integer}
        end
        set external-ip-blocklist <name1>, <name2>, ...
        set fabric-force-sync [enable|disable]
        set fabric-object [enable|disable]
        set fabric-object-source [member|local|...]
        config ftgd-dns
            Description: FortiGuard DNS Filter settings.
            config filters
                Description: FortiGuard DNS domain filters.
                edit <id>
                    set action [block|monitor]
                    set category {integer}
                    set log [enable|disable]
                next
            end
            set options {option1}, {option2}, ...
        end
        set log-all-domain [enable|disable]
        set redirect-portal {ipv4-address}
        set redirect-portal6 {ipv6-address}
        set safe-search [disable|enable]
        set sdns-domain-log [enable|disable]
        set sdns-ftgd-err-log [enable|disable]
        set strip-ech [disable|enable]
        set transparent-dns-database <name1>, <name2>, ...
        set uuid {uuid}
        set youtube-restrict [strict|moderate|...]
    next
end

config dnsfilter profile

Parameter

Description

Type

Size

Default

block-action

Action to take for blocked domains.

option

redirect

Option	Description
block	Return NXDOMAIN for blocked domains.
redirect	Redirect blocked domains to SDNS portal.
block-sevrfail	Return SERVFAIL for blocked domains.

block-botnet

Enable/disable blocking botnet C&C DNS lookups.

option

disable

Option	Description
disable	Disable blocking botnet C&C DNS lookups.
enable	Enable blocking botnet C&C DNS lookups.

comment

Comment.

var-string

Maximum length: 255

external-ip-blocklist <name>

One or more external IP block lists.

External domain block list name.

string

Maximum length: 79

fabric-force-sync *

Enable/disable forced synchronization of configuration objects from the root FortiGate unit to the downstream devices. Configuration conflict check is skipped.

option

disable

Option	Description
enable	Enable forced synchronization of configuration objects from the root FortiGate unit to the downstream devices.
disable	Disable forced synchronization of configuration objects from the root FortiGate unit to the downstream devices.

fabric-object *

Security Fabric global object setting.

option

disable

Option	Description
enable	Object is set as a security fabric-wide global object.
disable	Object is local to this security fabric member.

fabric-object-source *

Source of truth for fabric object.

option

root

Option	Description
member	Source of truth for this object is a non-root member of fabric.
local	Source of truth for this object is this security fabric member.
root	Source of truth for this object is the root of the fabric.

log-all-domain

Enable/disable logging of all domains visited (detailed DNS logging).

option

disable

Option	Description
enable	Enable logging of all domains visited.
disable	Disable logging of all domains visited.

name

Profile name.

string

Maximum length: 47

redirect-portal

IPv4 address of the SDNS redirect portal.

ipv4-address

Not Specified

0.0.0.0

redirect-portal6

IPv6 address of the SDNS redirect portal.

ipv6-address

Not Specified

safe-search

Enable/disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

option

disable

Option	Description
disable	Disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.
enable	Enable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

sdns-domain-log

Enable/disable domain filtering and botnet domain logging.

option

enable

Option	Description
enable	Enable domain filtering and botnet domain logging.
disable	Disable domain filtering and botnet domain logging.

sdns-ftgd-err-log

Enable/disable FortiGuard SDNS rating error logging.

option

enable

Option	Description
enable	Enable FortiGuard SDNS rating error logging.
disable	Disable FortiGuard SDNS rating error logging.

strip-ech

Enable/disable removal of the encrypted client hello service parameter from supporting DNS RRs.

option

enable

Option	Description
disable	Disable removal of the encrypted client hello service parameter from supporting DNS RRs.
enable	Enable removal of the encrypted client hello service parameter from supporting DNS RRs.

transparent-dns-database <name>

Transparent DNS database zones.

DNS database zone name.

string

Maximum length: 79

uuid *

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

youtube-restrict

Set safe search for YouTube restriction level.

option

strict

Option	Description
strict	Enable strict safe seach for YouTube.
moderate	Enable moderate safe search for YouTube.
none	Disable safe search for YouTube.

* This parameter may not exist in some models.

config dns-translation

Parameter

Description

Type

Size

Default

addr-type

DNS translation type (IPv4 or IPv6).

option

ipv4

Option	Description
ipv4	IPv4 address type.
ipv6	IPv6 address type.

dst

IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src.

ipv4-address

Not Specified

0.0.0.0

dst6

IPv6 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src6.

ipv6-address

Not Specified

ID.

integer

Minimum value: 0 Maximum value: 4294967295

netmask

If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst.

ipv4-netmask

Not Specified

255.255.255.255

prefix

If src6 and dst6 are subnets rather than single IP addresses, enter the prefix for both src6 and dst6 (1 - 128, default = 128).

integer

Minimum value: 1 Maximum value: 128

128

src

IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst.

ipv4-address

Not Specified

0.0.0.0

src6

IPv6 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst6.

ipv6-address

Not Specified

status

Enable/disable this DNS translation entry.

option

enable

Option	Description
enable	Enable this DNS translation.
disable	Disable this DNS translation.

config domain-filter

Parameter	Description	Type	Size	Default
domain-filter-table	DNS domain filter table ID.	integer	Minimum value: 0 Maximum value: 4294967295	0

config ftgd-dns

Parameter

Description

Type

Size

Default

options

FortiGuard DNS filter options.

option

Option	Description
error-allow	Allow all domains when FortiGuard DNS servers fail.
ftgd-disable	Disable FortiGuard DNS domain rating.

config filters

Parameter

Description

Type

Size

Default

action

Action to take for DNS requests matching the category.

option

monitor

Option	Description
block	Block DNS requests matching the category.
monitor	Allow DNS requests matching the category and log the result.

config dnsfilter profile

Configure DNS domain filter profile.

config dnsfilter profile
    Description: Configure DNS domain filter profile.
    edit <name>
        set block-action [block|redirect|...]
        set block-botnet [disable|enable]
        set comment {var-string}
        config dns-translation
            Description: DNS translation settings.
            edit <id>
                set addr-type [ipv4|ipv6]
                set dst {ipv4-address}
                set dst6 {ipv6-address}
                set netmask {ipv4-netmask}
                set prefix {integer}
                set src {ipv4-address}
                set src6 {ipv6-address}
                set status [enable|disable]
            next
        end
        config domain-filter
            Description: Domain filter settings.
            set domain-filter-table {integer}
        end
        set external-ip-blocklist <name1>, <name2>, ...
        set fabric-force-sync [enable|disable]
        set fabric-object [enable|disable]
        set fabric-object-source [member|local|...]
        config ftgd-dns
            Description: FortiGuard DNS Filter settings.
            config filters
                Description: FortiGuard DNS domain filters.
                edit <id>
                    set action [block|monitor]
                    set category {integer}
                    set log [enable|disable]
                next
            end
            set options {option1}, {option2}, ...
        end
        set log-all-domain [enable|disable]
        set redirect-portal {ipv4-address}
        set redirect-portal6 {ipv6-address}
        set safe-search [disable|enable]
        set sdns-domain-log [enable|disable]
        set sdns-ftgd-err-log [enable|disable]
        set strip-ech [disable|enable]
        set transparent-dns-database <name1>, <name2>, ...
        set uuid {uuid}
        set youtube-restrict [strict|moderate|...]
    next
end

config dnsfilter profile

Parameter

Description

Type

Size

Default

block-action

Action to take for blocked domains.

option

redirect

Option	Description
block	Return NXDOMAIN for blocked domains.
redirect	Redirect blocked domains to SDNS portal.
block-sevrfail	Return SERVFAIL for blocked domains.

block-botnet

Enable/disable blocking botnet C&C DNS lookups.

option

disable

Option	Description
disable	Disable blocking botnet C&C DNS lookups.
enable	Enable blocking botnet C&C DNS lookups.

comment

Comment.

var-string

Maximum length: 255

external-ip-blocklist <name>

One or more external IP block lists.

External domain block list name.

string

Maximum length: 79

fabric-force-sync *

Enable/disable forced synchronization of configuration objects from the root FortiGate unit to the downstream devices. Configuration conflict check is skipped.

option

disable

Option	Description
enable	Enable forced synchronization of configuration objects from the root FortiGate unit to the downstream devices.
disable	Disable forced synchronization of configuration objects from the root FortiGate unit to the downstream devices.

fabric-object *

Security Fabric global object setting.

option

disable

Option	Description
enable	Object is set as a security fabric-wide global object.
disable	Object is local to this security fabric member.

fabric-object-source *

Source of truth for fabric object.

option

root

Option	Description
member	Source of truth for this object is a non-root member of fabric.
local	Source of truth for this object is this security fabric member.
root	Source of truth for this object is the root of the fabric.

log-all-domain

Enable/disable logging of all domains visited (detailed DNS logging).

option

disable

Option	Description
enable	Enable logging of all domains visited.
disable	Disable logging of all domains visited.

name

Profile name.

string

Maximum length: 47

redirect-portal

IPv4 address of the SDNS redirect portal.

ipv4-address

Not Specified

0.0.0.0

redirect-portal6

IPv6 address of the SDNS redirect portal.

ipv6-address

Not Specified

safe-search

Enable/disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

option

disable

Option	Description
disable	Disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.
enable	Enable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

sdns-domain-log

Enable/disable domain filtering and botnet domain logging.

option

enable

Option	Description
enable	Enable domain filtering and botnet domain logging.
disable	Disable domain filtering and botnet domain logging.

sdns-ftgd-err-log

Enable/disable FortiGuard SDNS rating error logging.

option

enable

Option	Description
enable	Enable FortiGuard SDNS rating error logging.
disable	Disable FortiGuard SDNS rating error logging.

strip-ech

Enable/disable removal of the encrypted client hello service parameter from supporting DNS RRs.

option

enable

Option	Description
disable	Disable removal of the encrypted client hello service parameter from supporting DNS RRs.
enable	Enable removal of the encrypted client hello service parameter from supporting DNS RRs.

transparent-dns-database <name>

Transparent DNS database zones.

DNS database zone name.

string

Maximum length: 79

uuid *

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

youtube-restrict

Set safe search for YouTube restriction level.

option

strict

Option	Description
strict	Enable strict safe seach for YouTube.
moderate	Enable moderate safe search for YouTube.
none	Disable safe search for YouTube.

* This parameter may not exist in some models.

config dns-translation

Parameter

Description

Type

Size

Default

addr-type

DNS translation type (IPv4 or IPv6).

option

ipv4

Option	Description
ipv4	IPv4 address type.
ipv6	IPv6 address type.

dst

ipv4-address

Not Specified

0.0.0.0

dst6

ipv6-address

Not Specified

ID.

integer

Minimum value: 0 Maximum value: 4294967295

netmask

If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst.

ipv4-netmask

Not Specified

255.255.255.255

prefix

If src6 and dst6 are subnets rather than single IP addresses, enter the prefix for both src6 and dst6 (1 - 128, default = 128).

integer

Minimum value: 1 Maximum value: 128

128

src

IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst.

ipv4-address

Not Specified

0.0.0.0

src6

IPv6 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst6.

ipv6-address

Not Specified

status

Enable/disable this DNS translation entry.

option

enable

Option	Description
enable	Enable this DNS translation.
disable	Disable this DNS translation.

config domain-filter

Parameter	Description	Type	Size	Default
domain-filter-table	DNS domain filter table ID.	integer	Minimum value: 0 Maximum value: 4294967295	0

config ftgd-dns

Parameter

Description

Type

Size

Default

options

FortiGuard DNS filter options.

option

Option	Description
error-allow	Allow all domains when FortiGuard DNS servers fail.
ftgd-disable	Disable FortiGuard DNS domain rating.

config filters

Parameter

Description

Type

Size

Default

action

Action to take for DNS requests matching the category.

option

monitor

Option	Description
block	Block DNS requests matching the category.
monitor	Allow DNS requests matching the category and log the result.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config dnsfilter profile

config dnsfilter profile

config dnsfilter profile

config dns-translation

config domain-filter

config ftgd-dns

config filters

config dnsfilter profile

config dnsfilter profile

config dnsfilter profile

config dns-translation