I have a question that I configured an Internet policy in the FortiGate firewall with allowing all services. I want to block DNS bypass. Is it possible to block only DNS service? I happy to make different policy for my DNS server but don't want to make another policy for my client systems.
I'd create a rule just above the previous one to block dns traffic . Did you try that?
Thanks, I can do it but is it possible the In the single Policy I will allow all services except the DNS?
there is no reason to avoid to configure any deny policy but it is for basic Idea.
IMHO an explicit DENY policy is not only effective but openly documents your intention, namely that only the internal DNS is to be used. Besides, if you enable logging you could pinpoint the hosts which still are not using the (DHCP supplied) internal DNS.
Transparency is one of the foundations of security.
Products Solutions Support Partners Threat Research Contact Us