Hot!Web filter Vs. DNS filter

Author
cskeller07
New Member
  • Total Posts : 1
  • Scores: 2
  • Reward points: 0
  • Joined: 2017/02/03 08:06:15
  • Status: offline
2017/02/03 09:43:22 (permalink)
5 (1)

Web filter Vs. DNS filter

What is the difference?  Any pro's con's to one or the other?
 
Why would you need DNS filtering if you're already doing web filtering?
 
If you do not use the FortiGate as a DNS server does DNS filter do anything?
#1

4 Replies Related Threads

    MikePruett
    Platinum Member
    • Total Posts : 676
    • Scores: 15
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: offline
    Re: Web filter Vs. DNS filter 2017/02/16 07:54:17 (permalink)
    0
    Web Filter blocks access to websites based on the URL (fqdn) etc.
     
    DNS Filter blocks access to resolving known bad sites so you can't even get to them if they are a part of a malicious network.

    Mike Pruett
    Fortinet GURU
    #2
    tanr
    Gold Member
    • Total Posts : 432
    • Scores: 16
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Web filter Vs. DNS filter 2017/02/16 10:07:15 (permalink)
    5 (1)
    Web filter gives you more granular control over subsets of different categories, and allows different types of overrides (if using proxy mode).
     
    If you are running web filtering in proxy mode you can override entire categories, or you can override a specific category for specific sites.  For example, you may want to block the "Proxy Avoidance" category, but need to allow access to the webpages that give instructions on using your companies VPN (which might count as proxy avoidance).
     
    Though both filters have proxy and flow mode versions, the flow mode versions are a bit different and have fewer controls.  Depends on your version of FortiOS you're on as well.
     
    DNS Filter:
    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/DNS%20Filter/dns_intro.htm 
    Web Filter:
    http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Web_Filter/web_filter_chapter.htm
     
    #3
    tititech
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/10/29 08:08:44
    • Status: offline
    Re: Web filter Vs. DNS filter 2018/03/23 07:53:49 (permalink)
    0
    Here a practical example :
    In my company, I can't use the dns filtering because of its requirement to use the fortiguard dns servers. We can't use external dns server.
    with dns filtering you can't block access based on url. You blocked based on dns name resolution (ip address).
    Let say for example, you want to block  seattle.org/ordering but allow seattle.org/pictures. Because both url resolve to the same ip address will not obtain the desired result with dns filtering. It will block access to seattle.org as a whole.
     
    web filtering filters based on url and because you will be able to block seattle.org/ordering but allow seattle.org/pictures.
     
    Ask yourself this question, what will happen if fortigate can't connect to FORTIGUARD DNS servers in the middle of the night?
    What will happen to your policy rules? Does it go to allow or deny everything?
     
     

     

    #4
    athman8
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/05/04 04:13:06
    • Status: offline
    Re: Web filter Vs. DNS filter 2018/05/04 04:14:34 (permalink)
    0
    I've been tasked with implementing a solution for web filtering and web usage reporting and so I thought I'd look at something like OpenDNS Umbrella to throw in that DNS layer protection as well. I've done the demo, I've read the spec sheets, and I'm fairly satisfied with the results, especially given as our company is only 300 users dense. Price is ok.......My question is: Is there a better (and easy to implement/manage) solution for web filtering/usage reporting out there (besides Websense -- been there done that) that may or may not also cover DNS layer protection?
    #5
    Jump to:
    © 2018 APG vNext Commercial Version 5.5