Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
martinsd
Staff
Staff

Created on ‎07-12-2023 02:48 AM

Article Id 263614

Technical Tip: VPN - Windows Firewall not switching to Domain after a VPN connection

Description This article describes the case when the Windows Firewall is not switching to Domain after a VPN connection, blocking traffic.
Scope FortiClient.
Solution

There is a lag for the FortiClient to install routes on the endpoint routing table. Sometimes, that lag is significant enough to cause Domain misidentification. 

 

The Windows registry can be edited to disable 'Domain Discovery negative cache' and 'DNS negative cache', to improve the Network Location Awareness (NLA) service when it does the domain detection.

 

Registry script (Save this script to VPN.reg and run it):

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"NegativeCachePeriod"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"MaxNegativeCacheTtl"=dword:00000000

 

After adding these registry keys, reboot the Windows device.

 

Related document: 

Firewall profile does not switch to domain.
751
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.