FortiGuard DNS filter for IPv6 policies

You can add DNS filter profile inspection to IPv6 policies. This includes FortiGuard DNS filtering (with a web filtering license) and portal replacement message redirect.

To apply a DNS filter profile to an IPv6 policy using the CLI:

config firewall policy6

edit 1

set name "IPV6-DNSFilter"

set uuid b1adb096-1919-51e9-05c7-87813d4e2b2a

set srcintf "port10"

set dstintf "port9"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set dnsfilter-profile "default"

set ssl-ssh-profile "protocols"

set nat enable



A new CLI variable is added to the DNS filter profile for the IPv6 address of the SDNS redirect portal, redirect-portal6:

config dnsfilter profile

edit "default"

set comment "Default dns filtering."

config domain-filter

unset domain-filter-table


config ftgd-dns

unset options

config filters

edit 1

set category 2

set action monitor


edit 2

set category 7

set action monitor




set log-all-domain disable

set sdns-ftgd-err-log enable

set sdns-domain-log enable

set block-action redirect

set block-botnet enable

set safe-search disable

set redirect-portal

set redirect-portal6 ::



After the FortiGate successfully initializes communication with the SDNS server (for the domain rating service), the following CLI command shows the default redirect portal IPv6 address:

(global) # diagnose test application dnsproxy 3


FGD_REDIR_V4: FGD_REDIR_V6:[2001:cdba::3257:9652]