Description
This article provides a sample configuration for DNS based FortiGuard web filtering.
Solution
Topology or network layout
PC---(switch)FGT-111C(wan1)---Internet
Steps
1) Create webfilter profile
### CLI sample ###
config webfilter profile
edit "dns-wf"
set inspection-mode dns
config ftgd-wf
unset options
config filters
edit 1
set category 140
next
edit 2
set category 141
next
end
end
next
end
### WebGUI sample ###
2) Create firewall policy
### CLI sample ###
config firewall policy
edit 1
set srcintf "switch"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set webfilter-profile "dns-wf" ==> HERE
set profile-protocol-options "default"
set nat enable
next
end
### WebGUI sample ###
3) Specify webfilter profile in system dns-server
This step can be done by only CLI.
### CLI sample ###
config system dns-server
edit "switch"
set webfilter-profile "dns-wf" ==> HERE
next
end
4) Specify webfilter DNS IP address in the Fortiguard settings.
This step can be done only via the CLI
The IP must be set to a DNS server that returns Fortiguard ratings. Fortiguard's DNS IP is 208.91.112.220.
### CLI sample ###
config system fortiguard
set webfilter-sdns-server-ip "208.91.112.220"
set webfilter-sdns-server-port 53
end
5) Specify a redirect page (optional).
DNS Action has the option of Block or Redirect. The Redirect Action by default will go to a Fortinet Hosted Webpage. This webpage displays "Web Page Blocked!". The Redirect Action can be changed to a custom defined IP address via the CLI .
The redirect portal must be an IP address.
### CLI sample ###
config webfilter profile
edit "dns-wf"debug output
set web-filter-sdns-action redirect
set web-filter-sdns-portal <ip address>
end
end
Troubleshooting
This feature can be observed by "diagnose debug application urlfilter -1" and "diagnose debug application dnsproxy -1".
### Sample ###
FG10CH3G09603836 # diagnose debug application urlfilter -1
FG10CH3G09603836 # diagnose debug application dnsproxy -1
FG10CH3G09603836 # diagnose debug enable
FG10CH3G09603836 # batch_on_read()-1945
udp_receive_request()-1589
udp_receive_request()-1643: vd=0, intf=9, len=34, alen=16, 10.130.119.12:57344=>10.130.3.6
handle_dns_request()-1106: id:0xfde6 pktlen=34, qr=0 req_type=2
is_dns_secure_message()-651
dns_secure_get_policy_profile()-1674: vd=0 10.130.119.12:57344=>10.130.3.6:53
dns_policy_find_by_idx()-1640: vfid=0 idx=2
dns_local_lookup()-2085: vfid=0 qname=www.fortinet.com, qtype=1, qclass=1, offset=34, map#=3 max_sz=512
dns_lookup_aa_zone()-494: vfid=0, fqdn=www.fortinet.com
dns_send_cached_response()-961
dns_adjust_ttl_values()-117
dns_adjust_ttl_values()-120: Offset of 1st RR: 34
dns_adjust_ttl_values()-122: Number of RR's: 4
dns_adjust_ttl_values()-133: New ttl: 1519
dns_adjust_ttl_values()-133: New ttl: 166901
dns_adjust_ttl_values()-133: New ttl: 166901
dns_adjust_ttl_values()-133: New ttl: 166901
dns_forward_response()-948
dns_secure_forward_response()-891: category=52 profile=dns-wf
dns_send_url_request()-843: vfid=0 id=0x3320 profile=dns-wf category=52 protocol=17
udp_receive_request()-1589
msg="received a request /tmp/.dnsproxy_0_0.url.socket, addr_len=32: d=www.fortinet.com:80, id=8243, vfname='root', vfid=0, profile='dns-wf', type=0, client=10.130.119.12, url_source=0, url="/"
action=9(ftgd-allow) wf-act=5(ALLOW) user="N/A" src=10.130.119.12 sport=57344 dst=10.130.3.6 dport=53
service="http" cat=52 cat_desc="Information Technology" hostname="www.fortinet.com" url="/"
url_receive_response()-1828
url_receive_response()-1833: id=0x3320 cate=52 action=9 log=0 carry_back=17
dns_udp_handle_url_response()-1785
dns_secure_apply_action()-1456: action=9 category=52 log=0 profile=dns-wf
dns_secure_log_response()-1242: domain=www.fortinet.com profile=dns-wf log=0
dns_policy_find_by_idx()-1640: vfid=0 idx=2