DNS Filter:

o You can apply DNS category filtering to control user access to web resources.
o Can customize default profile or create your own to manage network user access.
o FortiGuard Filtering filters the DNS request based on the FortiGuard domain rating.
o Botnet C&C domain blocking blocks the DNS request for known botnet C&C domains.
o External dynamic category domain filtering allows to define your own domain category.
o DNS safe search, enforces Google, Bing, & YouTube safe addresses for parental controls.
o Local domain filter allows you to define your own domain list to block or allow things.
o External IP block list allows to define an IP block list to block resolved IPs that match list.
o In DNS Filter, DNS translation maps the resolved result to another IP that you define.
o Some features of this functionality require a subscription to FortiGuard Web Filtering.
o In this lab will set up DNS filtering to block access to bandwidth consuming websites.

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

Go to Security Profiles> DNS Filter here you will find one default DNS Filtering rule.

If DNS Filter is not listed under Security Profiles, go to System > Feature Visibility, and enable
DNS Filter under Security Features.

Go to Security Profiles > DNS Filter, you can modify the default DNS Filter and enable the
options you want, or you can click + at the top right to create a new DNS Filter.

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

After you have created the DNS Filter profile or modify the default DNS Filter, you can apply it
to the policy. Go to Policy & Objects> Firewall Policy, In the Security Profiles section, enable
DNS Filter and select the DNS filter.

Click the botnet package link to see the latest botnet C&C domain list.

Visit botnet fully qualified Domain name or nslookup DNS it will show below error in page.

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the
FortiGuard rating for this domain name.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

FortiGuard Category-Based DNS Domain Filter:
Let’s use the FortiGuard category-based DNS Domain Filter to inspect DNS traffic. This makes
use of FortiGuard’ s continually updated domain rating database for more reliable protection.
To configure FortiGuard category-based DNS Domain Filter, Go to Security Profiles > DNS Filter
and edit DNS Filter. Enable FortiGuard Category Based Filter. Select the category and then
select Allow, Monitor, or Block for that category.

Let’s Redirect to Block Portal FortiGuard Category News and Media.

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

Nslookup News and Media website such as www.bbc.com it will redirect to 2.2.2.2

Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the
FortiGuard rating for this domain name.

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

Static Domain Filter:
Also, can define Static Domain Filter Go to Security Profiles > DNS Filter and edit DNS Filter.
Go to section Static Domain Filter.

Domain name such as udemy.com Type Wildcard, Action redirect to Block Portal and status
Enable click OK to save changes.

Go to Log & Report > DNS Query to view the DNS traffic that just traverse the FortiGate and the
FortiGuard rating for this domain name.

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

DNS Safe Search Feature:
Navigate to Security Profiles>DNS Filter > Custom-DNS and enable Enforce Safe Search on
Google, Bing, YouTube to save the setting click OK.

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717