Description | This article describes solution of using FortiGate as DNS server when client is connected to one interface, but DNS service is configured on another interface. |
Scope | All FortiGate models and all firmware. |
Solution |
For this KB article consider below setup
config system dns-server edit “port2” set dnsfilter-profile "filter2" end
For such cases if DNS service is configured on just port2 and expect clients on port1 or SSL-VPN to use port2 IP as DNS server than it would not work until one adds port1 or SSL-VPN to the DNS service
config system dns-server edit “port2” set dnsfilter-profile "filter2" next edit "port1" set dnsfilter-profile "filter1" end
If configuration is made then DNS requests will be received on port1 and passed to port2. But instead of using DNS filter profile on port2, FortiGate will use DNS filter profile on port1.
Therefore, to resolve this issue instead of using physical interface port2 as DNS service, multiple loopback interfaces can be configured as DNS service and each could have a different dnsfilter profile, if there is a firewall policy between port1 - > loopbackN.
config system dns-server edit “loopbackN” set dnsfilter-profile "filterN" next edit "port1" set dnsfilter-profile "filter1" end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.