config dnsfilter profile
Description: Configure DNS domain filter profiles.
edit <name>
set comment {var-string}
config domain-filter
Description: Domain filter settings.
set domain-filter-table {integer}
end
config ftgd-dns
Description: FortiGuard DNS Filter settings.
set options {option1}, {option2}, ...
config filters
Description: FortiGuard DNS domain filters.
edit <id>
set category {integer}
set action [block|monitor]
set log [enable|disable]
next
end
end
set log-all-domain [enable|disable]
set sdns-ftgd-err-log [enable|disable]
set sdns-domain-log [enable|disable]
set block-action [block|redirect]
set redirect-portal {ipv4-address}
set redirect-portal6 {ipv6-address}
set block-botnet [disable|enable]
set safe-search [disable|enable]
set youtube-restrict [strict|moderate]
set external-ip-blocklist <name1>, <name2>, ...
config dns-translation
Description: DNS translation settings.
edit <id>
set addr-type [ipv4|ipv6]
set src {ipv4-address}
set dst {ipv4-address}
set netmask {ipv4-netmask}
set status [enable|disable]
set src6 {ipv6-address}
set dst6 {ipv6-address}
set prefix {integer}
next
end
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
comment | Comment. | var-string | Maximum length: 255 |
log-all-domain | Enable/disable logging of all domains visited (detailed DNS logging). enable: Enable logging of all domains visited. disable: Disable logging of all domains visited. |
option | - |
sdns-ftgd-err-log | Enable/disable FortiGuard SDNS rating error logging. enable: Enable FortiGuard SDNS rating error logging. disable: Disable FortiGuard SDNS rating error logging. |
option | - |
sdns-domain-log | Enable/disable domain filtering and botnet domain logging. enable: Enable domain filtering and botnet domain logging. disable: Disable domain filtering and botnet domain logging. |
option | - |
block-action | Action to take for blocked domains. block: Return NXDOMAIN for blocked domains. redirect: Redirect blocked domains to SDNS portal. |
option | - |
redirect-portal | IPv4 address of the SDNS redirect portal. | ipv4-address | Not Specified |
redirect-portal6 | IPv6 address of the SDNS redirect portal. | ipv6-address | Not Specified |
block-botnet | Enable/disable blocking botnet C&C DNS lookups. disable: Disable blocking botnet C&C DNS lookups. enable: Enable blocking botnet C&C DNS lookups. |
option | - |
safe-search | Enable/disable Google, Bing, and YouTube safe search. disable: Disable Google, Bing, and YouTube safe search. enable: Enable Google, Bing, and YouTube safe search. |
option | - |
youtube-restrict | Set safe search for YouTube restriction level. strict: Enable strict safe seach for YouTube. moderate: Enable moderate safe search for YouTube. |
option | - |
external-ip-blocklist <name> |
One or more external IP block lists. External domain block list name. |
string | Maximum length: 79 |
Parameter Name | Description | Type | Size |
---|---|---|---|
domain-filter-table | DNS domain filter table ID. | integer | Minimum value: 0 Maximum value: 4294967295 |
Parameter Name | Description | Type | Size |
---|---|---|---|
options | FortiGuard DNS filter options. error-allow: Allow all domains when FortiGuard DNS servers fail. ftgd-disable: Disable FortiGuard DNS domain rating. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
category | Category number. | integer | Minimum value: 0 Maximum value: 255 |
action | Action to take for DNS requests matching the category. block: Block DNS requests matching the category. monitor: Allow DNS requests matching the category and log the result. |
option | - |
log | Enable/disable DNS filter logging for this DNS profile. enable: Enable DNS filter logging. disable: Disable DNS filter logging. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
addr-type | DNS translation type (IPv4 or IPv6). ipv4: IPv4 address type. ipv6: IPv6 address type. |
option | - |
src | IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst. | ipv4-address | Not Specified |
dst | IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src. | ipv4-address | Not Specified |
netmask | If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst. | ipv4-netmask | Not Specified |
status | Enable/disable this DNS translation entry. enable: Enable this DNS translation. disable: Disable this DNS translation. |
option | - |
src6 | IPv6 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst6. | ipv6-address | Not Specified |
dst6 | IPv6 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src6. | ipv6-address | Not Specified |
prefix | If src6 and dst6 are subnets rather than single IP addresses, enter the prefix for both src6 and dst6 (1 - 128, default = 128). | integer | Minimum value: 1 Maximum value: 128 |
config dnsfilter profile
Description: Configure DNS domain filter profiles.
edit <name>
set comment {var-string}
config domain-filter
Description: Domain filter settings.
set domain-filter-table {integer}
end
config ftgd-dns
Description: FortiGuard DNS Filter settings.
set options {option1}, {option2}, ...
config filters
Description: FortiGuard DNS domain filters.
edit <id>
set category {integer}
set action [block|monitor]
set log [enable|disable]
next
end
end
set log-all-domain [enable|disable]
set sdns-ftgd-err-log [enable|disable]
set sdns-domain-log [enable|disable]
set block-action [block|redirect]
set redirect-portal {ipv4-address}
set redirect-portal6 {ipv6-address}
set block-botnet [disable|enable]
set safe-search [disable|enable]
set youtube-restrict [strict|moderate]
set external-ip-blocklist <name1>, <name2>, ...
config dns-translation
Description: DNS translation settings.
edit <id>
set addr-type [ipv4|ipv6]
set src {ipv4-address}
set dst {ipv4-address}
set netmask {ipv4-netmask}
set status [enable|disable]
set src6 {ipv6-address}
set dst6 {ipv6-address}
set prefix {integer}
next
end
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
comment | Comment. | var-string | Maximum length: 255 |
log-all-domain | Enable/disable logging of all domains visited (detailed DNS logging). enable: Enable logging of all domains visited. disable: Disable logging of all domains visited. |
option | - |
sdns-ftgd-err-log | Enable/disable FortiGuard SDNS rating error logging. enable: Enable FortiGuard SDNS rating error logging. disable: Disable FortiGuard SDNS rating error logging. |
option | - |
sdns-domain-log | Enable/disable domain filtering and botnet domain logging. enable: Enable domain filtering and botnet domain logging. disable: Disable domain filtering and botnet domain logging. |
option | - |
block-action | Action to take for blocked domains. block: Return NXDOMAIN for blocked domains. redirect: Redirect blocked domains to SDNS portal. |
option | - |
redirect-portal | IPv4 address of the SDNS redirect portal. | ipv4-address | Not Specified |
redirect-portal6 | IPv6 address of the SDNS redirect portal. | ipv6-address | Not Specified |
block-botnet | Enable/disable blocking botnet C&C DNS lookups. disable: Disable blocking botnet C&C DNS lookups. enable: Enable blocking botnet C&C DNS lookups. |
option | - |
safe-search | Enable/disable Google, Bing, and YouTube safe search. disable: Disable Google, Bing, and YouTube safe search. enable: Enable Google, Bing, and YouTube safe search. |
option | - |
youtube-restrict | Set safe search for YouTube restriction level. strict: Enable strict safe seach for YouTube. moderate: Enable moderate safe search for YouTube. |
option | - |
external-ip-blocklist <name> |
One or more external IP block lists. External domain block list name. |
string | Maximum length: 79 |
Parameter Name | Description | Type | Size |
---|---|---|---|
domain-filter-table | DNS domain filter table ID. | integer | Minimum value: 0 Maximum value: 4294967295 |
Parameter Name | Description | Type | Size |
---|---|---|---|
options | FortiGuard DNS filter options. error-allow: Allow all domains when FortiGuard DNS servers fail. ftgd-disable: Disable FortiGuard DNS domain rating. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
category | Category number. | integer | Minimum value: 0 Maximum value: 255 |
action | Action to take for DNS requests matching the category. block: Block DNS requests matching the category. monitor: Allow DNS requests matching the category and log the result. |
option | - |
log | Enable/disable DNS filter logging for this DNS profile. enable: Enable DNS filter logging. disable: Disable DNS filter logging. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
addr-type | DNS translation type (IPv4 or IPv6). ipv4: IPv4 address type. ipv6: IPv6 address type. |
option | - |
src | IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst. | ipv4-address | Not Specified |
dst | IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src. | ipv4-address | Not Specified |
netmask | If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst. | ipv4-netmask | Not Specified |
status | Enable/disable this DNS translation entry. enable: Enable this DNS translation. disable: Disable this DNS translation. |
option | - |
src6 | IPv6 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst6. | ipv6-address | Not Specified |
dst6 | IPv6 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src6. | ipv6-address | Not Specified |
prefix | If src6 and dst6 are subnets rather than single IP addresses, enter the prefix for both src6 and dst6 (1 - 128, default = 128). | integer | Minimum value: 1 Maximum value: 128 |