Fortinet white logo
Fortinet white logo

CLI Reference

config dnsfilter profile

config dnsfilter profile

Configure DNS domain filter profile.

config dnsfilter profile
    Description: Configure DNS domain filter profile.
    edit <name>
        set comment {var-string}
        config domain-filter
            Description: Domain filter settings.
            set domain-filter-table {integer}
        end
        config ftgd-dns
            Description: FortiGuard DNS Filter settings.
            set options {option1}, {option2}, ...
            config filters
                Description: FortiGuard DNS domain filters.
                edit <id>
                    set category {integer}
                    set action [block|monitor]
                    set log [enable|disable]
                next
            end
        end
        set log-all-domain [enable|disable]
        set sdns-ftgd-err-log [enable|disable]
        set sdns-domain-log [enable|disable]
        set block-action [block|redirect|...]
        set redirect-portal {ipv4-address}
        set redirect-portal6 {ipv6-address}
        set block-botnet [disable|enable]
        set safe-search [disable|enable]
        set youtube-restrict [strict|moderate]
        set external-ip-blocklist <name1>, <name2>, ...
        config dns-translation
            Description: DNS translation settings.
            edit <id>
                set addr-type [ipv4|ipv6]
                set src {ipv4-address}
                set dst {ipv4-address}
                set netmask {ipv4-netmask}
                set status [enable|disable]
                set src6 {ipv6-address}
                set dst6 {ipv6-address}
                set prefix {integer}
            next
        end
    next
end

config dnsfilter profile

Parameter

Description

Type

Size

Default

comment

Comment.

var-string

Maximum length: 255

log-all-domain

Enable/disable logging of all domains visited (detailed DNS logging).

option

-

disable

Option

Description

enable

Enable logging of all domains visited.

disable

Disable logging of all domains visited.

sdns-ftgd-err-log

Enable/disable FortiGuard SDNS rating error logging.

option

-

enable

Option

Description

enable

Enable FortiGuard SDNS rating error logging.

disable

Disable FortiGuard SDNS rating error logging.

sdns-domain-log

Enable/disable domain filtering and botnet domain logging.

option

-

enable

Option

Description

enable

Enable domain filtering and botnet domain logging.

disable

Disable domain filtering and botnet domain logging.

block-action

Action to take for blocked domains.

option

-

redirect

Option

Description

block

Return NXDOMAIN for blocked domains.

redirect

Redirect blocked domains to SDNS portal.

block-sevrfail

Return SERVFAIL for blocked domains.

redirect-portal

IPv4 address of the SDNS redirect portal.

ipv4-address

Not Specified

0.0.0.0

redirect-portal6

IPv6 address of the SDNS redirect portal.

ipv6-address

Not Specified

::

block-botnet

Enable/disable blocking botnet C&C DNS lookups.

option

-

disable

Option

Description

disable

Disable blocking botnet C&C DNS lookups.

enable

Enable blocking botnet C&C DNS lookups.

safe-search

Enable/disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

option

-

disable

Option

Description

disable

Disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

enable

Enable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

youtube-restrict

Set safe search for YouTube restriction level.

option

-

strict

Option

Description

strict

Enable strict safe seach for YouTube.

moderate

Enable moderate safe search for YouTube.

external-ip-blocklist <name>

One or more external IP block lists.

External domain block list name.

string

Maximum length: 79

config domain-filter

Parameter

Description

Type

Size

Default

domain-filter-table

DNS domain filter table ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

config ftgd-dns

Parameter

Description

Type

Size

Default

options

FortiGuard DNS filter options.

option

-

Option

Description

error-allow

Allow all domains when FortiGuard DNS servers fail.

ftgd-disable

Disable FortiGuard DNS domain rating.

config filters

Parameter

Description

Type

Size

Default

category

Category number.

integer

Minimum value: 0 Maximum value: 255

0

action

Action to take for DNS requests matching the category.

option

-

monitor

Option

Description

block

Block DNS requests matching the category.

monitor

Allow DNS requests matching the category and log the result.

log

Enable/disable DNS filter logging for this DNS profile.

option

-

enable

Option

Description

enable

Enable DNS filter logging.

disable

Disable DNS filter logging.

config dns-translation

Parameter

Description

Type

Size

Default

addr-type

DNS translation type (IPv4 or IPv6).

option

-

ipv4

Option

Description

ipv4

IPv4 address type.

ipv6

IPv6 address type.

src

IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst.

ipv4-address

Not Specified

0.0.0.0

dst

IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src.

ipv4-address

Not Specified

0.0.0.0

netmask

If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst.

ipv4-netmask

Not Specified

255.255.255.255

status

Enable/disable this DNS translation entry.

option

-

enable

Option

Description

enable

Enable this DNS translation.

disable

Disable this DNS translation.

src6

IPv6 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst6.

ipv6-address

Not Specified

::

dst6

IPv6 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src6.

ipv6-address

Not Specified

::

prefix

If src6 and dst6 are subnets rather than single IP addresses, enter the prefix for both src6 and dst6 .

integer

Minimum value: 1 Maximum value: 128

128

config dnsfilter profile

config dnsfilter profile

Configure DNS domain filter profile.

config dnsfilter profile
    Description: Configure DNS domain filter profile.
    edit <name>
        set comment {var-string}
        config domain-filter
            Description: Domain filter settings.
            set domain-filter-table {integer}
        end
        config ftgd-dns
            Description: FortiGuard DNS Filter settings.
            set options {option1}, {option2}, ...
            config filters
                Description: FortiGuard DNS domain filters.
                edit <id>
                    set category {integer}
                    set action [block|monitor]
                    set log [enable|disable]
                next
            end
        end
        set log-all-domain [enable|disable]
        set sdns-ftgd-err-log [enable|disable]
        set sdns-domain-log [enable|disable]
        set block-action [block|redirect|...]
        set redirect-portal {ipv4-address}
        set redirect-portal6 {ipv6-address}
        set block-botnet [disable|enable]
        set safe-search [disable|enable]
        set youtube-restrict [strict|moderate]
        set external-ip-blocklist <name1>, <name2>, ...
        config dns-translation
            Description: DNS translation settings.
            edit <id>
                set addr-type [ipv4|ipv6]
                set src {ipv4-address}
                set dst {ipv4-address}
                set netmask {ipv4-netmask}
                set status [enable|disable]
                set src6 {ipv6-address}
                set dst6 {ipv6-address}
                set prefix {integer}
            next
        end
    next
end

config dnsfilter profile

Parameter

Description

Type

Size

Default

comment

Comment.

var-string

Maximum length: 255

log-all-domain

Enable/disable logging of all domains visited (detailed DNS logging).

option

-

disable

Option

Description

enable

Enable logging of all domains visited.

disable

Disable logging of all domains visited.

sdns-ftgd-err-log

Enable/disable FortiGuard SDNS rating error logging.

option

-

enable

Option

Description

enable

Enable FortiGuard SDNS rating error logging.

disable

Disable FortiGuard SDNS rating error logging.

sdns-domain-log

Enable/disable domain filtering and botnet domain logging.

option

-

enable

Option

Description

enable

Enable domain filtering and botnet domain logging.

disable

Disable domain filtering and botnet domain logging.

block-action

Action to take for blocked domains.

option

-

redirect

Option

Description

block

Return NXDOMAIN for blocked domains.

redirect

Redirect blocked domains to SDNS portal.

block-sevrfail

Return SERVFAIL for blocked domains.

redirect-portal

IPv4 address of the SDNS redirect portal.

ipv4-address

Not Specified

0.0.0.0

redirect-portal6

IPv6 address of the SDNS redirect portal.

ipv6-address

Not Specified

::

block-botnet

Enable/disable blocking botnet C&C DNS lookups.

option

-

disable

Option

Description

disable

Disable blocking botnet C&C DNS lookups.

enable

Enable blocking botnet C&C DNS lookups.

safe-search

Enable/disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

option

-

disable

Option

Description

disable

Disable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

enable

Enable Google, Bing, YouTube, Qwant, DuckDuckGo safe search.

youtube-restrict

Set safe search for YouTube restriction level.

option

-

strict

Option

Description

strict

Enable strict safe seach for YouTube.

moderate

Enable moderate safe search for YouTube.

external-ip-blocklist <name>

One or more external IP block lists.

External domain block list name.

string

Maximum length: 79

config domain-filter

Parameter

Description

Type

Size

Default

domain-filter-table

DNS domain filter table ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

config ftgd-dns

Parameter

Description

Type

Size

Default

options

FortiGuard DNS filter options.

option

-

Option

Description

error-allow

Allow all domains when FortiGuard DNS servers fail.

ftgd-disable

Disable FortiGuard DNS domain rating.

config filters

Parameter

Description

Type

Size

Default

category

Category number.

integer

Minimum value: 0 Maximum value: 255

0

action

Action to take for DNS requests matching the category.

option

-

monitor

Option

Description

block

Block DNS requests matching the category.

monitor

Allow DNS requests matching the category and log the result.

log

Enable/disable DNS filter logging for this DNS profile.

option

-

enable

Option

Description

enable

Enable DNS filter logging.

disable

Disable DNS filter logging.

config dns-translation

Parameter

Description

Type

Size

Default

addr-type

DNS translation type (IPv4 or IPv6).

option

-

ipv4

Option

Description

ipv4

IPv4 address type.

ipv6

IPv6 address type.

src

IPv4 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst.

ipv4-address

Not Specified

0.0.0.0

dst

IPv4 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src.

ipv4-address

Not Specified

0.0.0.0

netmask

If src and dst are subnets rather than single IP addresses, enter the netmask for both src and dst.

ipv4-netmask

Not Specified

255.255.255.255

status

Enable/disable this DNS translation entry.

option

-

enable

Option

Description

enable

Enable this DNS translation.

disable

Disable this DNS translation.

src6

IPv6 address or subnet on the internal network to compare with the resolved address in DNS query replies. If the resolved address matches, the resolved address is substituted with dst6.

ipv6-address

Not Specified

::

dst6

IPv6 address or subnet on the external network to substitute for the resolved address in DNS query replies. Can be single IP address or subnet on the external network, but number of addresses must equal number of mapped IP addresses in src6.

ipv6-address

Not Specified

::

prefix

If src6 and dst6 are subnets rather than single IP addresses, enter the prefix for both src6 and dst6 .

integer

Minimum value: 1 Maximum value: 128

128