Fortinet black logo

Administration Guide

Home FortiProxy 7.4.3 Administration Guide
7.4.3
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

Create or edit a DNS filter profile

Create or edit a DNS filter profile

A DNS filter profile contains settings that enable or disable various forms of DNS filtering, including:

  • FortiGuard filtering

  • Botnet C&C domain blocking

  • DNS safe search

  • External dynamic category domain filtering

  • Local domain filter

  • External IP block list

  • DNS translation

Once a DNS filter is configured, it can be applied to a policy to scan DNS queries that pass through the FortiProxy or on a FortiProxy DNS server if one is configured.

To configure a DNS filter profile:

  3. On the Security Profiles > DNS Filter page, click Create New to create a new DNS filter profile or select the profile you want to edit in the list and then click Edit. The New/Edit DNS Filter Profile window opens.

  4. Configure the following settings:

    Name

    The name of the DNS filter profile.

    Comments

    Optional description of the DNS filter profile.

    Redirect botnet C&C requests to Block Portal

    Enable to block botnet website access at the DNS name resolution stage. FortiGuard Service continually updates the botnet C&C domain list. The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

    Enforce 'Safe search' on Google, Bing, YouTube

    Enable to avoid explicit and inappropriate results in the Google, Bing, and YouTube search engines. The FortiProxy responds with content filtered by the search engine.

    Restrict YouTube Access

    When Enforce 'Safe Search' on Google, Bing, YouTube is enabled, select either Strict or Moderate to restrict YouTube access by responding to DNS resolutions with CNAME restrict.youtube.com and restrictmoderate.youtube.com respectively.

    FortiGuard category based filter

    Enable to use the FortiGuard domain rating database to inspect DNS traffic. A FortiGuard Web Filter license is required to use this option.

    Expand the category groups in the table to view and edit the FortiGuard category settings to Allow, Monitor, or Redirect to Block Portal.

    Allow/Monitor/Redirect to Block Portal

    Select the action for each FortiGuard category: Allow, Monitor, or Redirect to Block Portal.

    Static Domain Filter

    Domain Filter

    Enable to define local static domain filters to allow or block specific domains. The local domain filter has a higher priority than the FortiGuard category-based domain filter.

    Click Create New in the table to add a domain filter and configure the following settings.

    • Domain: enter a domain.
    • Type: select Simple, Reg. Expression, or Wildcard.
    • Action: select Redirect to Block Portal, Allow, or Monitor.
    • Status: select Enable or Disable.

    See Create or edit a domain filter.

    External IP Block Lists

    Enable to create or select a list of external IP addresses to block. See External Connectors.

    DNS Translation

    Enable to translate a DNS resolved IP address to another IP address specified on a per-policy basis.

    Click Create New in the table to add a DNS translation and configure the following settings.

    • Type: select IPv4 or IPv6.
    • Original Destination: enter the address of a host or subnet that you want translated. When a resolved address in a DNS response matches this destination, the FortiGate will replace the address with the address in Translated Destination.
    • Translated Destination: enter the address of a host or subnet that you want the resolved address to be translated to.
    • Network Mask: enter the netmask for the original and translated destination. If a single host is used for the original and translated destination, set the netmask to 255.255.255.255.
    • Status: select Enable or Disable.

    Enabling DNS translation will override matching DNS responses with translated IPs. See Create or edit a DNS translation entry.

    Options

    Redirect Portal IP

    If you want the FortiProxy unit to use the portal IP address to replace the resolved IP address in the DNS response packet, select Use FortiGuard Default or Specify. If you select Specify, enter the portal IP address.

    When FortiGuard Category Based Filter categories are set to Redirect to Block Portal, the DNS response will use this IP address in its response to the client. If the client is accessing the domain on a web browser, they will be redirected to the block portal page on this address.

    Allow DNS requests when a rating error occurs

    Enable to allow access to domains that return a rating error from the web filter service.

    If your unit is temporarily unable to contact the FortiGuard service, this setting determines what access the unit allows until contact is re-established. If enabled, users will have full unfiltered access to all domains. If disabled, users will not be allowed access to any domains.

    Log all DNS queries and responses

    Enable if you want DNS queries and responses logged.

    API Preview

    The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

  5. Click OK.

To use the API Preview:

  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.

  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.

  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.

  4. Click Close to leave the preview.

Previous
Next

Create or edit a DNS filter profile

A DNS filter profile contains settings that enable or disable various forms of DNS filtering, including:

  • FortiGuard filtering

  • Botnet C&C domain blocking

  • DNS safe search

  • External dynamic category domain filtering

  • Local domain filter

  • External IP block list

  • DNS translation

Once a DNS filter is configured, it can be applied to a policy to scan DNS queries that pass through the FortiProxy or on a FortiProxy DNS server if one is configured.

To configure a DNS filter profile:

  3. On the Security Profiles > DNS Filter page, click Create New to create a new DNS filter profile or select the profile you want to edit in the list and then click Edit. The New/Edit DNS Filter Profile window opens.

  4. Configure the following settings:

    Name

    The name of the DNS filter profile.

    Comments

    Optional description of the DNS filter profile.

    Redirect botnet C&C requests to Block Portal

    Enable to block botnet website access at the DNS name resolution stage. FortiGuard Service continually updates the botnet C&C domain list. The botnet C&C domain blocking feature can block the botnet website access at the DNS name resolving stage. This provides additional protection for your network.

    Enforce 'Safe search' on Google, Bing, YouTube

    Enable to avoid explicit and inappropriate results in the Google, Bing, and YouTube search engines. The FortiProxy responds with content filtered by the search engine.

    Restrict YouTube Access

    When Enforce 'Safe Search' on Google, Bing, YouTube is enabled, select either Strict or Moderate to restrict YouTube access by responding to DNS resolutions with CNAME restrict.youtube.com and restrictmoderate.youtube.com respectively.

    FortiGuard category based filter

    Enable to use the FortiGuard domain rating database to inspect DNS traffic. A FortiGuard Web Filter license is required to use this option.

    Expand the category groups in the table to view and edit the FortiGuard category settings to Allow, Monitor, or Redirect to Block Portal.

    Allow/Monitor/Redirect to Block Portal

    Select the action for each FortiGuard category: Allow, Monitor, or Redirect to Block Portal.

    Static Domain Filter

    Domain Filter

    Enable to define local static domain filters to allow or block specific domains. The local domain filter has a higher priority than the FortiGuard category-based domain filter.

    Click Create New in the table to add a domain filter and configure the following settings.

    • Domain: enter a domain.
    • Type: select Simple, Reg. Expression, or Wildcard.
    • Action: select Redirect to Block Portal, Allow, or Monitor.
    • Status: select Enable or Disable.

    See Create or edit a domain filter.

    External IP Block Lists

    Enable to create or select a list of external IP addresses to block. See External Connectors.

    DNS Translation

    Enable to translate a DNS resolved IP address to another IP address specified on a per-policy basis.

    Click Create New in the table to add a DNS translation and configure the following settings.

    • Type: select IPv4 or IPv6.
    • Original Destination: enter the address of a host or subnet that you want translated. When a resolved address in a DNS response matches this destination, the FortiGate will replace the address with the address in Translated Destination.
    • Translated Destination: enter the address of a host or subnet that you want the resolved address to be translated to.
    • Network Mask: enter the netmask for the original and translated destination. If a single host is used for the original and translated destination, set the netmask to 255.255.255.255.
    • Status: select Enable or Disable.

    Enabling DNS translation will override matching DNS responses with translated IPs. See Create or edit a DNS translation entry.

    Options

    Redirect Portal IP

    If you want the FortiProxy unit to use the portal IP address to replace the resolved IP address in the DNS response packet, select Use FortiGuard Default or Specify. If you select Specify, enter the portal IP address.

    When FortiGuard Category Based Filter categories are set to Redirect to Block Portal, the DNS response will use this IP address in its response to the client. If the client is accessing the domain on a web browser, they will be redirected to the block portal page on this address.

    Allow DNS requests when a rating error occurs

    Enable to allow access to domains that return a rating error from the web filter service.

    If your unit is temporarily unable to contact the FortiGuard service, this setting determines what access the unit allows until contact is re-established. If enabled, users will have full unfiltered access to all domains. If disabled, users will not be allowed access to any domains.

    Log all DNS queries and responses

    Enable if you want DNS queries and responses logged.

    API Preview

    The API Preview allows you to view all REST API requests being used by the page. You can make changes on the page that are reflected in the API request preview. This feature is not available if the user is logged in as an administrator that has read-only GUI permissions.

  5. Click OK.

To use the API Preview:

  1. Click API Preview. The API Preview pane opens, and the values for the fields are visible (data). If a new object is being created, the POST request is shown.

  2. Enable Show modified changes only to show the modified changes instead of the full configuration in the preview.

  3. Click Copy to Clipboard to copy the JSON code shown on the preview screen to the clipboard.

  4. Click Close to leave the preview.

Previous
Next