FortiGate Firewall DNS Filter blocks all traffic
DNS Filter blocks all traffic after upgrade - having issues with DNS and IPS



:

I upgraded by 60F from 6.0 to 6.4 last night, while following the recommended path. Somewhere along the way I lost ability to resolve websites. It was either 6.4.0 or 6.4.2, not sure which as I wasn't testing DNS every upgrade.
After noticing I went ahead and finished the last step to 6.4.4 hoping it would fix itself, but no luck. Some quick googling lead me to both check for a DoS filter and reboot the device, however neither one remedied the situation. The only error I saw in FortiGate policies was that the Web Filter was flagged for using proxy instead if flow. Switching them to flow did not change anything either.
I was able to ping any IP, including DNS servers for FortiGuard, Quad9, and Google, but even manually setting the DNS servers on the PC didn't restore access. It was like all DNS traffic was being blocked.

I started clicking off policies one by one for a test system, and removing the DNS filter restored connectivity.

:

I looked at the policy and nothing looks broken.
My only guess is that in the Network>DNS tab on the right hand side it shows that the DNS Filter Rating Servers are "Unreachable" for some reason. I can ping the listed IP address, 173.243.140.53, from both a PC and via CLI, so I am not sure why it says unreachable.


DNS Filter Rating Servers are "Unreachable"

:

DNS Filter update

-----------------------------------------------------
:


, policy
DNS Filter
DNS Filter
policy

:
https://www.reddit.com/r/fortinet/co...upgrade_to_64/
https://www.reddit.com/r/fortinet/co...h_dns_and_ips/
https://kb.fortinet.com/kb/documentL...rnalID=FD35258