This article describes that DNS resolution is not blocked if it contains uppercase with policy in flow mode with a domain threat feed set to block certain domains.
Scope
FortiGate.
Solution
When configuring an external domain threat feed with a list of domains and configuring them with an action set to ‘Block’ on a DNS filter security profile, domains are not being blocked if uppercase letters are present in the DNS traffic.
For example when trying to block www.facebook.com on an External Domain Threat Feed:
- nslookup traffic towards www.facebook.com is blocked.
- nslookup traffic towards www.FaceBook.com is not blocked.
This might cause issues when blocking certain domains as users could bypass the security profile this way.
A possible workaround is to use a firewall policy in proxy mode. In proxy mode, this issue is not present and both requests will be blocked.
If using proxy mode is not a viable solution, this issue is resolved on the latest IPS Engines:
- v7.2- IPS Engine Build 0342.
- v7.4- IPS Engine Build 0542.
To get the latest IPS Engine, open a ticket with the Fortinet TAC.