Hot!6.4.2 Web Filtering/DNS filtering license

Author
Tristan.Cober
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/08/07 16:04:04
  • Status: offline
2020/10/20 17:02:45 (permalink)
0

6.4.2 Web Filtering/DNS filtering license

Standing up a new 40f and was testing out the connection to make sure everything was good before boxing it up, and was unable to browse once DNS filter was enabled. DNS status page shows the DNS Filter Server as Unreachable. Originally was using 173.243.140.16, and changed to 208.91.112.220 to confirm it wasn't just one server. When looking at the DNS filter settings, the service license appears to be blank/unset. Web Filtering is definitely licensed though.
 
Is there anything I can check that I might have missed? It's a pretty vanilla setup. None of the docs seem to line up with how the output looks.
 
# diag test app dnsproxy 3
worker idx: 0
vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=Fortinet_Factory
dns64 is disabled
dns-server:208.91.112.53:53 tz=0 tls=0 req=62 to=0 res=62 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
dns-server:208.91.112.52:53 tz=0 tls=0 req=57 to=0 res=57 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
sdns-server:208.91.112.220:853 tz=0 tls=2 req=0 to=0 res=0 rt=1493 ready=0 timer=431 probe=9 failure=0 last_failed=0
Interface selecting method: auto
Specified interface:
FortiGuard interface selecting method: auto
FortiGuard specified interface:
DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
DNS FD: udp_s=10 udp_c=25:26 ha_c=30 unix_s=11, unix_nb_s=31, unix_nc_s=12
v6_udp_s=9, v6_udp_c=28:29, snmp=32, redir=21, v6_redir=22
DNS FD: tcp_s=13, tcp_s6=14, redir=33 v6_redir=34
FGD_DNS_SERVICE_LICENSE:
server=208.91.112.220:853, expiry=0000-00-00, expired=1, type=0
FGD_CATEGORY_VERSION:8
SERVER_LDB: gid=eec0, tz=-420, error_allow=0
FGD_REDIR_V4:FGD_REDIR_V6:
 
 
 
# get system fortiguard
fortiguard-anycast : enable
fortiguard-anycast-source: fortinet
protocol : https
port : 443
load-balance-servers: 1
auto-join-forticloud: enable
update-server-location: any
sandbox-region :
antispam-force-off : disable
antispam-cache : enable
antispam-cache-ttl : 1800
antispam-cache-mpercent: 2
antispam-license : Contract
antispam-expiration : Sun Oct 17 2021
antispam-timeout : 7
outbreak-prevention-force-off: disable
outbreak-prevention-cache: enable
outbreak-prevention-cache-ttl: 300
outbreak-prevention-cache-mpercent: 2
outbreak-prevention-license: Contract
outbreak-prevention-expiration: Sun Oct 17 2021
outbreak-prevention-timeout: 7
webfilter-force-off : disable
webfilter-cache : enable
webfilter-cache-ttl : 3600
webfilter-license : Contract
webfilter-expiration: Sun Oct 17 2021
webfilter-timeout : 15
anycast-sdns-server-ip: 208.91.112.220
anycast-sdns-server-port: 853
sdns-options :
source-ip : 0.0.0.0
source-ip6 : ::
proxy-server-ip : 0.0.0.0
proxy-server-port : 0
proxy-username :
proxy-password : *
ddns-server-ip : 0.0.0.0
ddns-server-port : 443
interface-select-method: auto
#1

7 Replies Related Threads

    Tristan.Cober
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/08/07 16:04:04
    • Status: offline
    Re: 6.4.2 Web Filtering/DNS filtering license 2020/11/05 14:44:52 (permalink)
    0
    Just updating that this was noted as being fixed in 6.4.3, and can confirm it seems to be functioning as expected on 6.4.3.
    #2
    mike_dp
    Bronze Member
    • Total Posts : 58
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/02/22 12:26:22
    • Status: offline
    Re: 6.4.2 Web Filtering/DNS filtering license 2020/12/15 12:59:57 (permalink)
    0
    I have the same issue on 6.4.4 80F
    #3
    andrewbailey
    Silver Member
    • Total Posts : 99
    • Scores: 14
    • Reward points: 0
    • Joined: 2016/06/27 11:21:22
    • Status: offline
    Re: 6.4.2 Web Filtering/DNS filtering license 2020/12/15 17:21:04 (permalink)
    0
    Hi Trsitan and mike,
     
    I've spent quite a bit of time fiddling about with this too. I'm currently running 6.4.4 on a Fortigate 60E, not using the Fortiguard DNS servers (using my ISP DNS servers) and enforcing DNS over TLS.
     
    The new prefered option seems to be the anycast network (listed as the "deafult Fortiguard access mode" in the 6.4.4 admin guide). 
     
    The Fortigaurd anycast servers were enabled in FortiOS sometime back- but I got the impression the anycast servers were still being rolled out in the background? Certainly my experience suggested it was perhaps not completely deployed.
     
    I had fallen back to anycast disabled (ie using non-anycast) and using HTTPS over port 8888. That seemed to be reliable and stable for me in terms of SDNS and etc.
     
    This thread prompted me to have another look at anycast and see if I could get it working.
     
    I was just checking the Admin guide on the docs page and see that it does list "Anycast and unicast services" (https://docs.fortinet.com/document/fortigate/6.4.0/ports-and-protocols/622145/anycast-and-unicast-services).
     
    This reference states Secure DNS as being on the anycast domain name of "globalsdns.fortinet.net". For me (near London UK) that resolves too 173.243.140.53.
     
    So, if I try the following config:-
     
    config system fortiguard
        set fortiguard-anycast enable
        set fortiguard-anycast-source fortinet
        set protocol https
        set port 443
        .......
        set anycast-sdns-server-ip 0.0.0.0
        set anycast-sdns-server-port 853
        .......
    end
     
    That seemed to work initially. But I can see from "diag test app dnsproxy 3" the "licence" issue Tristan noted. Further, this link in the admin guide (https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/150448/troubleshooting-for-dns-filter) seems to confirm this config isn't working for SDNS.
     
    On the positive side with this configuration (using anycast) shows really good ping times to the "web filter" and "outbreak prevention" servers of about 19ms (previously had been up to 180ms). The IP address indicated is 173.243.140.16 (which the globalguardservice.fortinet.net shown in the reference above resolves too).
     
    So, how did you get it all working Tristan? Are you able to share you final config perhaps?
     
    I might raise a ticket and ask some quesiton about this too.
     
    Kind Regards,
     
     
    Andy.
    #4
    Tristan.Cober
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/08/07 16:04:04
    • Status: offline
    Re: 6.4.2 Web Filtering/DNS filtering license 2020/12/17 13:44:23 (permalink)
    0
    Hi Andy,
     
    This is the output from one of the FortiGates we have on 6.4.3. Perhaps 6.4.4 has had a regression? Don't have one on hand to test at a newer version. There's no customized config for SDNS. We've had to failopen SDNS for a reason other than licensing: the HTTPS servers are just terrible and majority of the time return a rating error and there is no option for UDP on 6.4 train
     
    diag test app dnsproxy 3
    worker idx: 0
    vdom: root, index=0, is master, vdom dns is enabled, mip-169.254.0.1 dns_log=1 tls=0 cert=Fortinet_Factory
    dns64 is disabled
    dns-server:208.91.112.53:53 tz=0 tls=0 req=46281 to=84 res=46140 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    dns-server:208.91.112.52:53 tz=0 tls=0 req=44415 to=81 res=44323 rt=1 ready=1 timer=0 probe=0 failure=0 last_failed=0
    sdns-server:173.243.140.53:853 tz=-480 tls=2 req=13380 to=10681 res=3004 rt=9 ready=1 timer=0 probe=0 failure=0 last_failed=0
    Interface selecting method: auto
    Specified interface:
    FortiGuard interface selecting method: auto
    FortiGuard specified interface:
    DNS_CACHE: hash-size=2048, ttl=1800, min-ttl=60, max-num=5000
    DNS FD: udp_s=10 udp_c=25:26 ha_c=30 unix_s=11, unix_nb_s=31, unix_nc_s=12
    v6_udp_s=9, v6_udp_c=28:29, snmp=32, redir=21, v6_redir=22
    DNS FD: tcp_s=13, tcp_s6=14, redir=33 v6_redir=34
    FGD_DNS_SERVICE_LICENSE:
    server=173.243.140.53:853, expiry=2023-10-31, expired=0, type=2
    FGD_CATEGORY_VERSION:8
    SERVER_LDB: gid=df3f, tz=-480, error_allow=4707
    FGD_REDIR_V4:208.91.112.55 FGD_REDIR_V6:
     
    get system fortiguard
    fortiguard-anycast : enable
    fortiguard-anycast-source: fortinet
    protocol : https
    port : 443
    load-balance-servers: 1
    auto-join-forticloud: enable
    update-server-location: any
    sandbox-region :
    antispam-force-off : disable
    antispam-cache : enable
    antispam-cache-ttl : 1800
    antispam-cache-mpercent: 2
    antispam-license : Contract
    antispam-expiration : Mon Oct 30 2023
    antispam-timeout : 7
    outbreak-prevention-force-off: disable
    outbreak-prevention-cache: enable
    outbreak-prevention-cache-ttl: 300
    outbreak-prevention-cache-mpercent: 2
    outbreak-prevention-license: Contract
    outbreak-prevention-expiration: Mon Oct 30 2023
    outbreak-prevention-timeout: 7
    webfilter-force-off : disable
    webfilter-cache : enable
    webfilter-cache-ttl : 3600
    webfilter-license : Contract
    webfilter-expiration: Mon Oct 30 2023
    webfilter-timeout : 15
    anycast-sdns-server-ip: 0.0.0.0
    anycast-sdns-server-port: 853
    sdns-options :
    source-ip : 0.0.0.0
    source-ip6 : ::
    proxy-server-ip : 0.0.0.0
    proxy-server-port : 0
    proxy-username :
    proxy-password : *
    ddns-server-ip : 0.0.0.0
    ddns-server-port : 443
    interface-select-method: auto
    #5
    mike_dp
    Bronze Member
    • Total Posts : 58
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/02/22 12:26:22
    • Status: offline
    Re: 6.4.2 Web Filtering/DNS filtering license 2020/12/21 08:00:28 (permalink)
    0
    Our issue on 6.4.4 with DNS filter licence server is related to the self originating trafic. Trafic is going to the Fortinet DNS filter server on ramdom interfaces. We use SD-WAN with a default route and multiple wan and vpn tunnels under SD-WAN.  It seems like Fortigates handle self originating trafic differently since 6.2+. It's possible since then to set the interface for sdwan for different services (Logs, LDAP, Radius, etc) with the CLI command set interface-select-method sdwan. Even if I force sdwan for the Fortiguard service the DNS filter licence server goes out on ramdom interfaces. I have an open case about this and I believe it's a firmware bug.
     
    Is there a way to Force SD-WAN routing decisions with interfaces priority or something like that?

    It seems like the self originating trafic doesn't follow the sd-wan rules anymore exept for services that has the set interface-select-method sdwan command applied and it looks like the DNS filter licence server isn't under the Fortiguard service.

    Fortigate : 80E, 80F, 100E, 300E
    FortiAnalyzer, ForticlientEMS
    #6
    citystar
    New Member
    • Total Posts : 1
    • Scores: 2
    • Reward points: 0
    • Joined: 2021/02/17 05:38:24
    • Status: offline
    Re: 6.4.2 Web Filtering/DNS filtering license 2021/02/17 05:42:13 (permalink)
    5 (1)
    You can temporary fix the issue by disable fortiguard anycast 
    and add the following sdns server.
     
    Commands:
    config system fortiguard
    set fortiguard-anycast disable
    set sdns-server-ip "208.91.112.220"
    set sdns-options include-question-section
    #7
    mike_dp
    Bronze Member
    • Total Posts : 58
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/02/22 12:26:22
    • Status: offline
    Re: 6.4.2 Web Filtering/DNS filtering license 2021/02/17 12:05:39 (permalink)
    0
    We applied the anycast disable following a recommendation from a ticket. Not sure why they changed this in 6.4 to be anycast by default and it's still not working correctly in 6.4.4.

    Fortigate : 80E, 80F, 100E, 300E
    FortiAnalyzer, ForticlientEMS
    #8
    Jump to:
    © 2021 APG vNext Commercial Version 5.5