|
For this KB article consider below setup
- Client is connected to port1 or sslvpn interface
- DNS service is configured on port2 like below
config system dns-server
edit “port2”
set dnsfilter-profile "filter2"
end
For such cases if DNS service is configured on just port2 and expect clients on port1 or SSL-VPN to use port2 IP as DNS server than it would not work until one adds port1 or SSL-VPN to the DNS service
config system dns-server
edit “port2”
set dnsfilter-profile "filter2"
next
edit "port1"
set dnsfilter-profile "filter1"
end
If configuration is made then DNS requests will be received on port1 and passed to port2.
But instead of using DNS filter profile on port2, FortiGate will use DNS filter profile on port1.
Therefore, to resolve this issue instead of using physical interface port2 as DNS service, multiple loopback interfaces can be configured as DNS service and each could have a different dnsfilter profile, if there is a firewall policy between port1 - > loopbackN.
config system dns-server
edit “loopbackN”
set dnsfilter-profile "filterN"
next
edit "port1"
set dnsfilter-profile "filter1"
end
|
