Fortigate DNS Filter Rating Servers Unreachable

DNS filtering is a nice security feature from Fortinet, provided of course that it works.

As you can see in the screenshot below, the Fortiguard Rating servers are unreachable.

Chances are, if you are running a small network or a home lab that your are using your Fortigate as a DNS server too and, since you are security oriented, you have enabled DNS filtering on your interfaces, apart from enabling filtering on your Firewall Rules.

Starting from FortiOS v6.4, Fortinet introduced a feature called FortiGuard anycast to communicate with the servers. While in principle it is a good idea the result is that very often the FortiGuard servers are unreachable.

And if you have configured your Fortigate as your DNS, with DNS filtering on the interface, then you might end up with users complaining that they need to refresh two or three times before they can access a web site.

The solution to that is to disable the FortiGuard anycast feature.

To do that we need to go to CLI and check the configuration:

config system fortiguard

show full-configuration

as you can see the feature is enabled. Let’s disable it.

set fortiguard-anycast disable

Also it is a good idea to set the port to UDP 8888 which is the default port the fortiguard servers and set the closest fortiguard server.

set protocol udp
set port 8888
set sdns-server-ip "194.69.172.53"

and

end

You might want to set another fortiguard server, depending on your location.

Ramblings of an All In One Admin

Related Posts

HomeLab – Deployment of an HA Kubernetes cluster (Part 6 – Rancher UI prerequisites)

HomeLab – Deployment of an HA Kubernetes cluster (Part 3 – Load Balancer – pfsense configuration)

Fortigate 60E&F upgrade from v6.4.x to v7.0.x

Leave a Reply Cancel reply