How to configure and apply DNS filter profile

How to configure and apply DNS filter profile

To create or configure DNS Filter profile in the GUI:

  1. Go to Security Profiles > DNS Filter.
  2. You can modify the default DNS Filter and enable the options you want or you can click + at the top right to create a

new DNS filter.

To create or configure DNS Filter profile in the CLI:

config dnsfilter profile edit “demo”

set comment ” config domain-filter

unset domain-filter-table

end config ftgd-dns set options error-allow config filters

edit 2

set category 2 set action monitor

next edit 7

set category 7 set action block

next …

edit 22

set category 0 set action monitor

next end

end set log-all-domain enable set sdns-ftgd-err-log enable set sdns-domain-log enable set block-action redirect set block-botnet enable set safe-search enable set redirect-portal 93.184.216.34 set redirect-portal6 ::

set youtube-restrict strict

next

end

After you have created the DNS Filter profile, you can apply it to the policy. DNS filters also support IPv6 policies.

To apply DNS Filter profile to the policy in the GUI:

  1. Go to Policy & Objects IPv4 Policy or IPv6 Policy.
  2. In the Security Profiles section, enable DNS Filter and select the DNS filter.

To apply DNS Filter profile to the policy in the CLI:

config firewall policy edit 1 set name “Demo” set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “all”

set action accept set schedule “always” set service “ALL” set utm-status enable set inspection-mode proxy set logtraffic all set fsso disable set dnsfilter-profile “demo” <<<==== set profile-protocol-options “default” set ssl-ssh-profile “deep-inspection”

set nat enable

next

end

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.