config dnsfilter profile
Configure DNS domain filter profile.
config dnsfilter profile
Description: Configure DNS domain filter profile.
edit <name>
set block-action [block|redirect|...]
set block-botnet [disable|enable]
set comment {var-string}
config dns-translation
Description: DNS translation settings.
edit <id>
set addr-type [ipv4|ipv6]
set dst {ipv4-address}
set dst6 {ipv6-address}
set netmask {ipv4-netmask}
set prefix {integer}
set src {ipv4-address}
set src6 {ipv6-address}
set status [enable|disable]
next
end
config domain-filter
Description: Domain filter settings.
set domain-filter-table {integer}
end
set external-ip-blocklist <name1>, <name2>, ...
config ftgd-dns
Description: FortiGuard DNS Filter settings.
config filters
Description: FortiGuard DNS domain filters.
edit <id>
set action [block|monitor]
set category {integer}
set log [enable|disable]
next
end
set options {option1}, {option2}, ...
end
set log-all-domain [enable|disable]
set redirect-portal {ipv4-address}
set redirect-portal6 {ipv6-address}
set safe-search [disable|enable]
set sdns-domain-log [enable|disable]
set sdns-ftgd-err-log [enable|disable]
set strip-ech [disable|enable]
set transparent-dns-database <name1>, <name2>, ...
set youtube-restrict [strict|moderate|...]
next
end
config dnsfilter profile
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
block-action |
Action to take for blocked domains. |
option |
- |
redirect |
||||||||
|
|
|
|||||||||||
|
block-botnet |
Enable/disable blocking botnet C&C DNS lookups. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
comment |
Comment. |
var-string |
Maximum length: 255 |
|
||||||||
|
external-ip-blocklist |
One or more external IP block lists. External domain block list name. |
string |
Maximum length: 79 |
|
||||||||
|
log-all-domain |
Enable/disable logging of all domains visited (detailed DNS logging). |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
name |
Profile name. |
string |
Maximum length: 35 |
|
||||||||
|
redirect-portal |
IPv4 address of the SDNS redirect portal. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||
|
redirect-portal6 |
IPv6 address of the SDNS redirect portal. |
ipv6-address |
Not Specified |
:: |
||||||||
|
safe-search |
Enable/disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
sdns-domain-log |
Enable/disable domain filtering and botnet domain logging. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
sdns-ftgd-err-log |
Enable/disable FortiGuard SDNS rating error logging. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
strip-ech |
Enable/disable removal of the encrypted client hello service parameter from supporting DNS RRs. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
transparent-dns-database |
Transparent DNS database zones. DNS database zone name. |
string |
Maximum length: 79 |
|
||||||||
|
youtube-restrict |
Set safe search for YouTube restriction level. |
option |
- |
strict |
||||||||
|
|
|
|||||||||||
config dns-translation
|
Parameter |
Description |
Type |
Size |
Default |
||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
addr-type |
DNS translation type (IPv4 or IPv6). |
option |
- |
ipv4 |
||||||
|
|
|
|||||||||
|
dst |
IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||
|
dst6 |
IPv6 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src6. |
ipv6-address |
Not Specified |
:: |
||||||
|
id |
ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||
|
netmask |
If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst. |
ipv4-netmask |
Not Specified |
255.255.255.255 |
||||||
|
prefix |
If src6 and dst6 are subnets rather than single IP addresses, enter the prefix for both src6 and dst6. |
integer |
Minimum value: 1 Maximum value: 128 |
128 |
||||||
|
src |
IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||
|
src6 |
IPv6 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst6. |
ipv6-address |
Not Specified |
:: |
||||||
|
status |
Enable/disable this DNS translation entry. |
option |
- |
enable |
||||||
|
|
|
|||||||||
config domain-filter
|
Parameter |
Description |
Type |
Size |
Default |
|---|---|---|---|---|
|
domain-filter-table |
DNS domain filter table ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
config ftgd-dns
|
Parameter |
Description |
Type |
Size |
Default |
||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
options |
FortiGuard DNS filter options. |
option |
- |
|
||||||
|
|
|
|||||||||
config filters
|
Parameter |
Description |
Type |
Size |
Default |
||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
action |
Action to take for DNS requests matching the category. |
option |
- |
monitor |
||||||
|
|
|
|||||||||
|
category |
Category number. |
integer |
Minimum value: 0 Maximum value: 255 |
0 |
||||||
|
id |
ID number. |
integer |
Minimum value: 0 Maximum value: 255 |
0 |
||||||
|
log |
Enable/disable DNS filter logging for this DNS profile. |
option |
- |
enable |
||||||
|
|
|
|||||||||