https://cheat–sheets.blogspot.com/2020/10/turn-your-fortigate-into-pihole-well.html

So here’s the: How to use a Fortigate box to block annoying ads in your network.

  • Add external filter lists
  • Set up a DNS filter, block the external filter lists
  • Set up a DNS server on the Fortigate with the DNS filter enabled

How it’s done

This is all done on a Fortigate firewall with firmware 6.2.5

External lists

First we add the external lists. I currently use 8 lists, which are a mix of advertisers and trackers.
Connect to you box using SSH. At the CLI you can paste this:
config system external-resource
    edit “Disconnect-Ad-Filter”
        set type domain
        set category 194
        set resource “https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt”
        set refresh-rate 60
    next
    edit “AdGuard”
        set type domain
        set category 192
        set resource “https://v.firebog.net/hosts/AdguardDNS.txt”
        set refresh-rate 60
    next
    edit “Firebog”
        set type domain
        set category 193
        set resource “https://v.firebog.net/hosts/Easylist.txt”
        set refresh-rate 60
    next
    edit “Firebog-Privacy”
        set type domain
        set category 195
        set resource “https://v.firebog.net/hosts/Easyprivacy.txt”
        set refresh-rate 60
    next
    edit “Fireblog-Admiral”
        set type domain
        set category 196
        set resource “https://v.firebog.net/hosts/Admiral.txt”
        set refresh-rate 60
    next
    edit “Fireblog-Privacy-2”
        set type domain
        set category 197
        set resource “https://v.firebog.net/hosts/Prigent-Ads.txt”
        set refresh-rate 60
    next
    edit “OISD”
        set type domain
        set category 198
        set resource “https://dbl.oisd.nl/”
        set refresh-rate 60
    next
    edit “OISD-IP”
        set type address
        set resource “https://hosts.oisd.nl/”
        set refresh-rate 60
    next
end
config system dns-server
end

DNS Filter

Next we add a DNS filter. You can do this under the ‘Security Profiles’ tab in the GUI of the Fortigate. Enable the option FortiGuard Category Based Filter

In the category filter list you can see an entry called ‘Remote Categories’. Open this entry, you will find seven of the external entries we added before. Set all of them to ‘Redirect to Block Portal’.
At the bottom of the menu you find the option External IP Block lists. Click at the + sign and select the entry ‘OSID-IP’.
Now, all eight lists are active in this DNS filter profile.

Set up a DNS Server

Setting up a DNS server is most easy done by CLI (like most of things). Paste this code to your CLI to setup the server. Change the dnsfilter-profile to the name of your DNS profile.

    edit “internal”
set mode forward-only
set dnsfilter-profile “Your-DNS-Filter”
next

After setting up your DNS server, don’t forget to publish it with your DHCP.

That’s it

Now you should notice much less ad  bothering. Either by web browser or by app on your mobile.

 

 

With these simple steps you can get rid of most ads. YouTube ads cannot be blocked this way.