Fortinet black logo

CLI Reference

6.2.14
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.0.0
5.6.0
5.4.0
5.2.0
5.0.0

config dnsfilter profile

config dnsfilter profile

Configure DNS domain filter profiles.

config dnsfilter profile
    Description: Configure DNS domain filter profiles.
    edit <name>
        set block-action [block|redirect]
        set block-botnet [disable|enable]
        set comment {var-string}
        config dns-translation
            Description: DNS translation settings.
            edit <id>
                set addr-type [ipv4|ipv6]
                set src {ipv4-address}
                set dst {ipv4-address}
                set netmask {ipv4-netmask}
                set status [enable|disable]
                set src6 {ipv6-address}
                set dst6 {ipv6-address}
                set prefix {integer}
            next
        end
        config domain-filter
            Description: Domain filter settings.
            set domain-filter-table {integer}
        end
        set external-ip-blocklist <name1>, <name2>, ...
        config ftgd-dns
            Description: FortiGuard DNS Filter settings.
            set options {option1}, {option2}, ...
            config filters
                Description: FortiGuard DNS domain filters.
                edit <id>
                    set category {integer}
                    set action [block|monitor]
                    set log [enable|disable]
                next
            end
        end
        set log-all-domain [enable|disable]
        set redirect-portal {ipv4-address}
        set redirect-portal6 {ipv6-address}
        set safe-search [disable|enable]
        set sdns-domain-log [enable|disable]
        set sdns-ftgd-err-log [enable|disable]
        set youtube-restrict [strict|moderate]
    next
end

config dnsfilter profile

Parameter

Description

Type

Size

block-action

Action to take for blocked domains.

option

-

Option

Description

block

Return NXDOMAIN for blocked domains.

redirect

Redirect blocked domains to SDNS portal.

block-botnet

Enable/disable blocking botnet C&C DNS lookups.

option

-

Option

Description

disable

Disable blocking botnet C&C DNS lookups.

enable

Enable blocking botnet C&C DNS lookups.

comment

Comment.

var-string

Maximum length: 255

external-ip-blocklist <name>

One or more external IP block lists.

External domain block list name.

string

Maximum length: 79

log-all-domain

Enable/disable logging of all domains visited (detailed DNS logging).

option

-

Option

Description

enable

Enable logging of all domains visited.

disable

Disable logging of all domains visited.

name

Profile name.

string

Maximum length: 35

redirect-portal

IPv4 address of the SDNS redirect portal.

ipv4-address

Not Specified

redirect-portal6

IPv6 address of the SDNS redirect portal.

ipv6-address

Not Specified

safe-search

Enable/disable Google, Bing, and YouTube safe search.

option

-

Option

Description

disable

Disable Google, Bing, and YouTube safe search.

enable

Enable Google, Bing, and YouTube safe search.

sdns-domain-log

Enable/disable domain filtering and botnet domain logging.

option

-

Option

Description

enable

Enable domain filtering and botnet domain logging.

disable

Disable domain filtering and botnet domain logging.

sdns-ftgd-err-log

Enable/disable FortiGuard SDNS rating error logging.

option

-

Option

Description

enable

Enable FortiGuard SDNS rating error logging.

disable

Disable FortiGuard SDNS rating error logging.

youtube-restrict

Set safe search for YouTube restriction level.

option

-

Option

Description

strict

Enable strict safe seach for YouTube.

moderate

Enable moderate safe search for YouTube.

config dns-translation

Parameter

Description

Type

Size

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

addr-type

DNS translation type (IPv4 or IPv6).

option

-

Option

Description

ipv4

IPv4 address type.

ipv6

IPv6 address type.

src

IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst.

ipv4-address

Not Specified

dst

IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src.

ipv4-address

Not Specified

netmask

If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst.

ipv4-netmask

Not Specified

status

Enable/disable this DNS translation entry.

option

-

Option

Description

enable

Enable this DNS translation.

disable

Disable this DNS translation.

src6

IPv6 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst6.

ipv6-address

Not Specified

dst6

IPv6 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src6.

ipv6-address

Not Specified

prefix

If src6 and dst6 are subnets rather than single IP addresses, enter the prefix for both src6 and dst6.

integer

Minimum value: 1 Maximum value: 128

config domain-filter

Parameter

Description

Type

Size

domain-filter-table

DNS domain filter table ID.

integer

Minimum value: 0 Maximum value: 4294967295

config ftgd-dns

Parameter

Description

Type

Size

options

FortiGuard DNS filter options.

option

-

Option

Description

error-allow

Allow all domains when FortiGuard DNS servers fail.

ftgd-disable

Disable FortiGuard DNS domain rating.

config filters

Parameter

Description

Type

Size

id

ID number.

integer

Minimum value: 0 Maximum value: 255

category

Category number.

integer

Minimum value: 0 Maximum value: 255

action

Action to take for DNS requests matching the category.

option

-

Option

Description

block

Block DNS requests matching the category.

monitor

Allow DNS requests matching the category and log the result.

log

Enable/disable DNS filter logging for this DNS profile.

option

-

Option

Description

enable

Enable DNS filter logging.

disable

Disable DNS filter logging.
Previous
Next

config dnsfilter profile

Configure DNS domain filter profiles.

config dnsfilter profile
    Description: Configure DNS domain filter profiles.
    edit <name>
        set block-action [block|redirect]
        set block-botnet [disable|enable]
        set comment {var-string}
        config dns-translation
            Description: DNS translation settings.
            edit <id>
                set addr-type [ipv4|ipv6]
                set src {ipv4-address}
                set dst {ipv4-address}
                set netmask {ipv4-netmask}
                set status [enable|disable]
                set src6 {ipv6-address}
                set dst6 {ipv6-address}
                set prefix {integer}
            next
        end
        config domain-filter
            Description: Domain filter settings.
            set domain-filter-table {integer}
        end
        set external-ip-blocklist <name1>, <name2>, ...
        config ftgd-dns
            Description: FortiGuard DNS Filter settings.
            set options {option1}, {option2}, ...
            config filters
                Description: FortiGuard DNS domain filters.
                edit <id>
                    set category {integer}
                    set action [block|monitor]
                    set log [enable|disable]
                next
            end
        end
        set log-all-domain [enable|disable]
        set redirect-portal {ipv4-address}
        set redirect-portal6 {ipv6-address}
        set safe-search [disable|enable]
        set sdns-domain-log [enable|disable]
        set sdns-ftgd-err-log [enable|disable]
        set youtube-restrict [strict|moderate]
    next
end

config dnsfilter profile

Parameter

Description

Type

Size

block-action

Action to take for blocked domains.

option

-

Option

Description

block

Return NXDOMAIN for blocked domains.

redirect

Redirect blocked domains to SDNS portal.

block-botnet

Enable/disable blocking botnet C&C DNS lookups.

option

-

Option

Description

disable

Disable blocking botnet C&C DNS lookups.

enable

Enable blocking botnet C&C DNS lookups.

comment

Comment.

var-string

Maximum length: 255

external-ip-blocklist <name>

One or more external IP block lists.

External domain block list name.

string

Maximum length: 79

log-all-domain

Enable/disable logging of all domains visited (detailed DNS logging).

option

-

Option

Description

enable

Enable logging of all domains visited.

disable

Disable logging of all domains visited.

name

Profile name.

string

Maximum length: 35

redirect-portal

IPv4 address of the SDNS redirect portal.

ipv4-address

Not Specified

redirect-portal6

IPv6 address of the SDNS redirect portal.

ipv6-address

Not Specified

safe-search

Enable/disable Google, Bing, and YouTube safe search.

option

-

Option

Description

disable

Disable Google, Bing, and YouTube safe search.

enable

Enable Google, Bing, and YouTube safe search.

sdns-domain-log

Enable/disable domain filtering and botnet domain logging.

option

-

Option

Description

enable

Enable domain filtering and botnet domain logging.

disable

Disable domain filtering and botnet domain logging.

sdns-ftgd-err-log

Enable/disable FortiGuard SDNS rating error logging.

option

-

Option

Description

enable

Enable FortiGuard SDNS rating error logging.

disable

Disable FortiGuard SDNS rating error logging.

youtube-restrict

Set safe search for YouTube restriction level.

option

-

Option

Description

strict

Enable strict safe seach for YouTube.

moderate

Enable moderate safe search for YouTube.

config dns-translation

Parameter

Description

Type

Size

id

ID.

integer

Minimum value: 0 Maximum value: 4294967295

addr-type

DNS translation type (IPv4 or IPv6).

option

-

Option

Description

ipv4

IPv4 address type.

ipv6

IPv6 address type.

src

IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst.

ipv4-address

Not Specified

dst

IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src.

ipv4-address

Not Specified

netmask

If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst.

ipv4-netmask

Not Specified

status

Enable/disable this DNS translation entry.

option

-

Option

Description

enable

Enable this DNS translation.

disable

Disable this DNS translation.

src6

IPv6 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst6.

ipv6-address

Not Specified

dst6

IPv6 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src6.

ipv6-address

Not Specified

prefix

If src6 and dst6 are subnets rather than single IP addresses, enter the prefix for both src6 and dst6.

integer

Minimum value: 1 Maximum value: 128

config domain-filter

Parameter

Description

Type

Size

domain-filter-table

DNS domain filter table ID.

integer

Minimum value: 0 Maximum value: 4294967295

config ftgd-dns

Parameter

Description

Type

Size

options

FortiGuard DNS filter options.

option

-

Option

Description

error-allow

Allow all domains when FortiGuard DNS servers fail.

ftgd-disable

Disable FortiGuard DNS domain rating.

config filters

Parameter

Description

Type

Size

id

ID number.

integer

Minimum value: 0 Maximum value: 255

category

Category number.

integer

Minimum value: 0 Maximum value: 255

action

Action to take for DNS requests matching the category.

option

-

Option

Description

block

Block DNS requests matching the category.

monitor

Allow DNS requests matching the category and log the result.

log

Enable/disable DNS filter logging for this DNS profile.

option

-

Option

Description

enable

Enable DNS filter logging.

disable

Disable DNS filter logging.
Previous
Next