FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vrajendran
Staff
Staff
Article Id 190698

Description

 

This article describes how to configure a FortiGate as a Primary for a DNS zone and a Secondary FortiGate to the same DNS zone.

Both FortiGates are not in HA.

In this example:
FortiGate1 (Primary for test_domain.local) - IP 10.191.35.48.
FortiGate2 (Secondary for test_domain.local)   - IP 10.191.36.213.

Solution


On FortiGate1 (Primary):

Go to System-> Feature Visibility -> Additional Features, and turn on DNS Database (select 'Apply').

 


Go to Network -> DNS Servers and create a new DNS Database.

 

Type: master
DNS Zone: Zone_1
Domain Name: test_domain.local
Hostname of Primary Master: Primary

 

Capture1.PNG

Note: 

If the authoritative is 'ENABLED', FortiGate does not send the DNS request for  'test_domain.local to the DNS forwarders or System DNS servers.

If dns-databse is configured with domain 'test_domain.local' and this FQDN is not resolvable from FortiGate or by the user's device, make sure that the authoritative is  'DISABLED'.

 

Create the desired DNS entries.  Ensure that you have both an A record and an NS record for both the primary and secondary FortiGates:

 

Example A record:

 

Type: Address (A)
Hostname: abc
IP Address: 192.168.0.10

 

Configure the DNS Service on the VPN tunnel interface.

Go to System -> Network -> DNS Servers and create a new DNS Service on Interface.

Select the VPN tunnel interface (on the Primary unit) which is connected with a Secondary FortiGate for the zone transfers.

 

Capture2.PNG

 

Configure the IP address for the VPN tunnel interface on the primary FortiGate:

 

Source IP - 10.10.10.1/32

RemoteIP - 10.10.10.2/32

 

Capture3.PNG

 

Run the following commands in the CLI to allow the zone transfer to the secondary FortiGate (replace the IP address with the address of the secondary FortiGate):

 

config system dns-database

    edit vSphere

        set source-ip 10.10.10.1

        set allow-transfer 10.10.10.2
end

 

FortiGate2 (Secondary):

Go to System-> Feature Visibility -> Additional Features, and turn on DNS Database (select Apply).
Go to Network -> DNS Servers and create a new DNS Database.

 

Type: Secondary
DNS Zone: Zone_2
Domain Name: vsphere.local
IP of Primary: 10.10.10.1

 

Capture4.PNG


On both/either unit(s), if the FortiGate is being used as the DNS server for local hosts, ensure the interface that is being referenced as the DNS server has the DNS service set.

Example:
If users attached to the internal interfaces want to use the FortiGate as their DNS server, ensure that the users are pointing to an IP address of the local FortiGate (in this case we can use FortiGate's internal IP address). On the FortiGate, ensure that the DNS service is also created for the interface that the users will be referencing:

Go to Network -> DNS Servers and create a new DNS Service.


Interface: To_FGT1
Mode: Recursive

 

Capture5.PNG

 

Configure the IP address for the VPN tunnel interface on the Secondary FortiGate:

 

Source IP - 10.10.10.2/32

RemoteIP - 10.10.10.1/32

 

Capture6.PNG

Run the following CLI commands on the secondary FortiGate:

 

config system dns-database
    edit vSphere

        set source-ip 10.10.10.2

        set ip-primary 10.10.10.1
end


In the CLI run the following command on both units to see the database:

 

diagnose test application dnsproxy 8

 

Sample output from the primary FortiGate:

 

FWF60D# diagnose test application dnsproxy 8

orker idx: 0

vfid=0 name=Zone_1 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=primary serial=319246610 refresh=0
A: aaa.vsphere.local-->192.168.0.17(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 319246610)(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: acb.vsphere.local-->192.168.0.11(86400)

 

Sample output from the secondary FortiGate:

 

FGT90D# diagnose test application dnsproxy 8

worker idx: 0

vfid=0 name=Zone_2 domain=vsphere.local ttl=86400 authoritative=1 view=shadow type=secondary serial=166236703 refresh=7200
A: acb.vsphere.local-->192.168.0.11(86400)
A: cba.vsphere.local-->192.168.0.12(86400)
A: bbc.vsphere.local-->192.168.0.14(86400)
SOA: vsphere.local (primary: Primary.vsphere.local, contact: host@vsphere.local, serial: 166236703)(86400)
A: abc.vsphere.local-->192.168.0.10(86400)
A: ccc.vsphere.local-->192.168.0.16(86400)
A: aaa.vsphere.local-->192.168.0.17(86400)
A: bcd.vsphere.local-->192.168.0.13(86400)