Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiPortal 7.4.1 User Guide
    7.4.1
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.0.15
    6.0.14
    6.0.13
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.3.8
    5.3.7
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.0
    5.2.0
    4.1.0

    Configuring a DNS filter profile

    Configuring a DNS filter profile

    Use DNS category filtering to control user access to web resources.

    DNS filters take precedence over web filters when both are added to a policy.

    To create a DNS filter profile:

    1. Go to Security > Firewall Objects.

    2. Select DNS Filter Profile from the Security Profiles dropdown.

    3. Click Create or select an existing profile from the list and click Edit.

    4. In the form, enter the following information:

      Settings

      Guidelines

      Name

      Required. Enter a name for the profile.

      Comments

      Optionally, enter comments.

      Block DNS requests to known botnet C&C

      Enable or disable blocking requests to known botnet C&Cs at the DNS stage.

      Enforce 'Safe search' on Google, Bing, YouTube

      Enable or disable enforced safe search to help avoid explicit and inappropriate results in search engines.

      Restrict YouTube Access

      Select the YouTube restriction level, either Strict or Moderate.

      This option is only available when Enforce 'Safe Search' is enabled.

      FortiGuard Category Based Filter

      Enable or disable using the FortiGuard domain rating to inspect DNS traffic.

      Static Domain Filter

      Domain Filter

      Enable to define local static domain filters to allow or block specific domains. The local domain filter has a higher priority than the FortiGuard category-based domain filter.

      Click Create in the table to add a domain filter and configure the following settings.

      • Domain: Enter a domain.

      • Type: Select Simple, Regex, or Wildcard.

      • Action: Select Block, Allow, or Monitor.

      • Status: Enable or Disable this domain filter.

      External IP Block Lists

      Enable to select an external block list.

      DNS Translation

      Enable to translate a DNS resolved IP address to another IP address specified on a per-policy basis.

      Click Create in the table to add a DNS translation and configure the following settings.

      • Type: Select IPv4 or IPv6.

      • Original Destination: Enter the address of a host or subnet that you want translated. When a resolved address in a DNS response matches this destination, the firewall will replace the address with the address in Translated Destination.

      • Translated Destination: Enter the address of a host or subnet that you want the resolved address to be translated to.

      • Network Mask: Enter the netmask for the original and translated destinations. If a single host is used for the original and translated destination, set the netmask to 255.255.255.255.

      • Status: Enable or Disable this DNS translation.

      Enabling DNS translation will override matching DNS responses with translated IPs.

      Allow DNS requests when a rating error occurs

      Enable or disable allowing all domains when FortiGuard DNS servers fail or are unreachable.

      Log all domains

      Enable or disable logging all domains visited.

      Redirect blocked DNS requests

      Enable to redirect block DNS requests, then, in Redirect Portal IP, specify the redirect IP or Use FortiGuard Default.

    5. Click Save to save the DNS filter profile.

    Previous
    Next

    Configuring a DNS filter profile

    Configuring a DNS filter profile

    Use DNS category filtering to control user access to web resources.

    DNS filters take precedence over web filters when both are added to a policy.

    To create a DNS filter profile:

    1. Go to Security > Firewall Objects.

    2. Select DNS Filter Profile from the Security Profiles dropdown.

    3. Click Create or select an existing profile from the list and click Edit.

    4. In the form, enter the following information:

      Settings

      Guidelines

      Name

      Required. Enter a name for the profile.

      Comments

      Optionally, enter comments.

      Block DNS requests to known botnet C&C

      Enable or disable blocking requests to known botnet C&Cs at the DNS stage.

      Enforce 'Safe search' on Google, Bing, YouTube

      Enable or disable enforced safe search to help avoid explicit and inappropriate results in search engines.

      Restrict YouTube Access

      Select the YouTube restriction level, either Strict or Moderate.

      This option is only available when Enforce 'Safe Search' is enabled.

      FortiGuard Category Based Filter

      Enable or disable using the FortiGuard domain rating to inspect DNS traffic.

      Static Domain Filter

      Domain Filter

      Enable to define local static domain filters to allow or block specific domains. The local domain filter has a higher priority than the FortiGuard category-based domain filter.

      Click Create in the table to add a domain filter and configure the following settings.

      • Domain: Enter a domain.

      • Type: Select Simple, Regex, or Wildcard.

      • Action: Select Block, Allow, or Monitor.

      • Status: Enable or Disable this domain filter.

      External IP Block Lists

      Enable to select an external block list.

      DNS Translation

      Enable to translate a DNS resolved IP address to another IP address specified on a per-policy basis.

      Click Create in the table to add a DNS translation and configure the following settings.

      • Type: Select IPv4 or IPv6.

      • Original Destination: Enter the address of a host or subnet that you want translated. When a resolved address in a DNS response matches this destination, the firewall will replace the address with the address in Translated Destination.

      • Translated Destination: Enter the address of a host or subnet that you want the resolved address to be translated to.

      • Network Mask: Enter the netmask for the original and translated destinations. If a single host is used for the original and translated destination, set the netmask to 255.255.255.255.

      • Status: Enable or Disable this DNS translation.

      Enabling DNS translation will override matching DNS responses with translated IPs.

      Allow DNS requests when a rating error occurs

      Enable or disable allowing all domains when FortiGuard DNS servers fail or are unreachable.

      Log all domains

      Enable or disable logging all domains visited.

      Redirect blocked DNS requests

      Enable to redirect block DNS requests, then, in Redirect Portal IP, specify the redirect IP or Use FortiGuard Default.

    5. Click Save to save the DNS filter profile.

    Previous
    Next