Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
dwickramasinghe1
Staff
Staff

Created on ‎11-27-2024 10:51 PM

Article Id 359003

Technical Tip: Configuring FortiClient ZTNA to use the FortiGate DNS Database Feature for FQDN lookup

Description This article describes how to implement the FortiGate DNS database feature with FortiClient ZTNA.
Scope FortiGate, FortiClient, FortiClient EMS.
Solution

The managed version of FortiClient can proxy traffic to FortiGate through ZTNA. FortiClient uses ZTNA destinations to decide which traffic needs to be proxied to the FortiGate. In some scenarios, it's required to use an internal FQDN to access internal resources. As a solution, FortiClient can send a DNS query to the FortiGate DNS database to resolve the FQDN and use ZTNA.

 

This article assumes that ZTNA is functioning and endpoints can already access ZTNA resources through an IP address.

 

ZTNADiagram1.png


FortiClient 7.4.1, FortiGate 7.6.0 and FortiClient EMS 7.4.1 are the product versions used at the time of this article.

 

  1. Create a ZTNA destination on the FortiClient EMS server with the desired FQDN of the ZTNA resource:

    FortiClient EMS GUI -> Endpoint profiles -> ZTNA Destinations -> Select the desired profile -> Add a rule and specify the FQDN for the internal resource.

 

ZTNADestination.PNG

 

  1. Enable the DNS Database feature on the FortiGate.

     

    FortiGate GUI -> System -> Feature Visibility -> DNS Database.

    fortigatedatabasefeatureon.PNG

     

  2. Configure the DNS Database with a hostname which points to the ZTNA resource IP.

    FortiGate GUI -> Network -> DNS Servers -> Under DNS database, select create new -> Add a DNS entry which points to the ZTNA resource.

    DNSdatabaseEntry.PNG

     

  3. Confirm that the FortiClient endpoints have received the ZTNA configuration from EMS:

    ZTNAconfigurationconfirm.PNG

     

     

  4. Attempt to access the ZTNA resource and confirm that it is working correctly:

    ZTNATestWorking.PNG

     

Troubleshooting ZTNA and FQDN errors.

If the DNS and FQDN have been configured incorrectly, it's possible to run into the following error:

 

Error Code: 023 
Error Message: The page you requested has been blocked because ZTNA FQDN DNS Failed

 

ZTNAFailed.PNG


To resolve this, confirm that the FortiGate DNS entry matches the FortiClient ZTNA destination:

Not Matching.

NotMatching.PNG

Matching.

 

Matching.PNG

 

It is also beneficial to ensure that FortiClient is sending the DNS request to FortiGate. This can be checked through the fortitcs.log file under C:\Program Files\Fortinet\FortiClient\logs\trace.


Note:
It may be required to change the log level to Debug mode and enable 'ZTNA' logging through the system settings profile on EMS in order to view the Fortitcs.log file.

 

fortiTCS.PNG

The nslookup command should indicate that FortiClient is using 10.235.0.1 as a DNS server. If the nslookup command still shows the normal DNS server configured on the endpoint, check that the ZTNA destination FQDN matches exactly with the nslookup command. It is also useful to check that FortiClient is connected to EMS and to confirm that the ZTNA feature is enabled.
5577
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.