Fortinet solution for DNS filtering when off-net

doncacciatoconsuting · ‎03-13-2024

Seeking a Fortinet solution to replace our Umbrella DNS Advantage for remote users.

The goal is to enforce DNS filtering for all remote users, regardless of whether or not they are on/off VPN. Forticlient doesn't support the DNS filtering profile (only on Gates).

My research comes up with the following potential solutions. Looking for any other comments or suggestions.

User on prem = use DNS filter on the gate
Remote user on FCT/EMS = force always-on vpn and make sure DNS traffic is routed over the tunnel and DNS Filter profile is applied to a FW policy
Remote user on SASE = force always-on and apply the DNS Filter profile in the SASE POP.

Thanks all,

Don

hbac · ‎03-13-2024

Hi @doncacciatoconsuting,

FortiSASE is a good option as clients internet traffic don't have to go through the FortiGate.

Regards,

Bjay_Prakash_Ghising · ‎03-13-2024

Hi @doncacciatoconsuting

You can configure FortiGate as a DNS server to listen for DNS queries and have them apply a DNS filter for both on-prem and off-prem users without the use of a VPN.

Hope that helps.

Kind Regards,

Bijay Prakash Ghising

Ghising

doncacciatoconsuting · ‎03-19-2024

thanks Bijay......that's a good option.