Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎10-29-2015 05:35 PM Edited on ‎11-04-2025 10:22 PM By Community Manager

Article Id 194750

Technical Tip: How to set DNS suffix for VPN SSL and IPsec in the FortiGate configuration

Description

 

This article describes how setting the DNS suffix can be useful when it is required to resolve server names without typing the entire domain name when connected via IPsec Dial-Up or SSL VPN. For example, accessing a server via server123 instead of server123.example.com.

 

Scope

 

FortiGate.


Solution

 

This configuration option is not available in the GUI interface, but it can be set using the CLI.
 
For SSL VPN:
 
If applied to global settings, all connections will have the following settings applied:
 
config vpn ssl settings
    set dns-suffix example.com
end
 
For VDOM-enabled FortiGate:
 
config vdom
    edit <vdom name>
        config vpn ssl settings
      set dns-suffix example.com
end
 
It can also be applied to individual SSL VPN portals:
 
config vpn ssl web portal
    edit <portal_name>
        set dns-suffix example.com
    next
end
 
For VDOM-enabled FortiGate:
 
config vdom
    edit <vdom name>
        config vpn ssl web portal
            set dns-suffix example.com
end

If more than one domain suffix is needed for SSL VPN, multiple entries can be added using a semicolon ';' without blank spaces as a delimiter:
 
set dns-suffix example.com;example.org
 
IPsec Dial-up VPN:
The available DNS suffix options for IPsec VPN change depending on the IKE version and firmware. They all require mode-cfg and 'set type dynamic'.
 
IKEv1 IPsec VPN:
Configure the default DNS domain:
 
config vpn ipsec phase1-interface
    edit <tunnel_name>
        set mode-cfg enable
        set type dynamic
        set ipv4-dns-server1
        set ipv6-dns-server1
        set unity-support enable                   <----- This needs to be enabled to use the 'set domain' command.
        set domain example.com                     <----- This sets the default DNS domain for VPN clients.
    next
end
 
For VDOM-enabled FortiGate:
 
config vdom
    edit <vdom name>
        config vpn ipsec phase1-interface
         edit <tunnel_name>
             set mode-cfg enable
             set type dynamic
             set ipv4-dns-server1
             set ipv6-dns-server1
             set unity-support enable           <----- This needs to be enabled to use the 'set domain' command.
             set domain example.com             <----- This sets the default DNS domain for VPN clients.
            next
        end
    next
end
 

Note regarding DNS Suffixes for IPsec tunnels:

IKEv1 only supports assigning a single DNS suffix/domain (no support for multiple domains). The 'unity-support' must be enabled, as this feature will push the DNS suffix to the client end.

 
IKEv2 IPsec VPN (requires FortiOS v7.6.4 or later and FortiClient Windows v7.4.4 or later):
Configure one or more default DNS domains:
 
config vpn ipsec phase1-interface
    edit <tunnel_name>
        set mode-cfg enable
        set ike-version 2
        set type dynamic
        set ipv4-dns-server1
        set ipv6-dns-server1
        set dns-suffix-search example.com        <----- This sets the default DNS domain for VPN clients.
    next
end
 
 
For VDOM-enabled FortiGate:
 
config vdom
    edit <vdom name>
        config vpn ipsec phase1-interface
         edit <tunnel_name>
             set mode-cfg enable
             set ike-version 2
             set type dynamic
             set ipv4-dns-server1
             set ipv6-dns-server1
             set dns-suffix-search example.com         <----- This sets the default DNS domain for VPN clients.
            next
        end
 
IKEv2 supports assigning multiple DNS suffixes/domains. They must be separated by a space.
 
set dns-suffix-search example1.com example2.com example3.com

Note: 
If the command 'internal-domain-list' is previously set under phase 1, the command 'dns-suffix-search' will not be available. It is required to remove the command 'internal-domain-list' and then specify 'dns-suffix-search'.
 
config vpn ipsec phase1-interface
    edit <tunnel name>
        unset internal-domain-list
        set dns-suffix-search example1.com example2.com example3.com
   next
end

IKEv2 Workarounds:

In FortiClient v7.4.3 and earlier, learning DNS suffix from FortiOS is not supported, but it is possible to manually set DNS suffixes on the VPN adapter.

 

To set the DNS suffix on the Windows FortiClient IPsec VPN adapter:

 

  1. Open Start Menu and search for 'ncpa.cpl' or 'View network connections'.

    neg2.PNG

 

  1. Double-click the interface with the alias 'Fortinet Virtual Ethernet Adapter'.

    0.PNG
  2. Select 'Internet Protocol Version 4 (TCP/IPv4)' > Select 'Properties'.

    1.PNG

 

  1. Select 'Advanced'.

    2.PNG
  2. Select 'DNS' Tab > In the 'DNS suffix for this connection' field, enter the desired internal domain > Select 'OK'. 

    3.PNG

  3. Connect to VPN.

In FortiClient Windows v7.4.4 and later, it is possible to set dns_suffix_list manually for per IKEv2 connection in IPsec VPN XML, see IPsec VPN

 

FortiClient macOS and FortiClient Linux do not yet support dns_suffix_list as of FortiClient v7.4.4.

 
Related documents:
198196
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.