Description
This article describes how setting the DNS suffix can be useful when it is required to resolve server names without typing the entire domain name when connected via IPsec Dial-Up or SSL VPN. For example, accessing a server via server123 instead of server123.example.com.
Scope
FortiGate.
Solution
This configuration option is not available in the GUI interface, but it can be set using the CLI.
For SSL VPN:
If applied to global settings, all connections will have the following settings applied:
config vpn ssl settings
set dns-suffix example.com
end
For VDOM-enabled FortiGate:
config vdom
edit <vdom name>
config vpn ssl settings
set dns-suffix example.com
end
It can also be applied to individual SSL VPN portals:
config vpn ssl web portal
edit <portal_name>
set dns-suffix example.com
next
end
For VDOM-enabled FortiGate:
config vdom
edit <vdom name>
config vpn ssl web portal
set dns-suffix example.com
end
If more than one domain suffix is needed for SSL VPN, multiple entries can be added using a semicolon ';' without blank spaces as a delimiter:
set dns-suffix example.com;example.org
For IPsec Dial-up VPN:
The available DNS suffix options for IPsec VPN change depending on the IKE version and firmware. They all require mode-cfg and 'set type dynamic'.
For IKEv1 IPsec VPN, configure the default DNS domain:
config vpn ipsec phase1-interface
edit <tunnel_name>
set mode-cfg enable
set type dynamic
set ipv4-dns-server1
set ipv6-dns-server1
set unity-support enable <----- This needs to be enabled to use the 'set domain' command.
set domain example.com <----- This sets the default DNS domain for VPN clients.
next
end
For VDOM-enabled FortiGate:
config vdom
edit <vdom name>
config vpn ipsec phase1-interface
edit <tunnel_name>
set mode-cfg enable
set type dynamic
set ipv4-dns-server1
set ipv6-dns-server1
set unity-support enable <----- This needs to be enabled to use the 'set domain' command.
set domain example.com <----- This sets the default DNS domain for VPN clients.
next
end
For IKEv2 IPsec VPN, configure the default DNS domain:
config vpn ipsec phase1-interface
edit <tunnel_name>
set mode-cfg enable
set ike-version 2
set type dynamic
set ipv4-dns-server1
set ipv6-dns-server1
set dns-suffix-search example.com <----- This sets the default DNS domain for VPN clients.
next
end
For VDOM-enabled FortiGate:
config vdom
edit <vdom name>
config vpn ipsec phase1-interface
edit <tunnel_name>
set mode-cfg enable
set ike-version 2
set type dynamic
set ipv4-dns-server1
set ipv6-dns-server1
set dns-suffix-search example.com <----- This sets the default DNS domain for VPN clients.
next
end
IKEv2 supports assigning multiple DNS suffixes/domains. They must be separated by a space.
set dns-suffix-search example1.com example2.com example3.com
Note regarding DNS Suffixes for IPsec tunnels:
IKEv1 only supports assigning a single DNS suffix/domain (no support for multiple domains). The 'unity-support' must be enabled as this feature will push the DNS suffix to the client end.
The use of Search Domains with IKEv2 requires FortiOS version 7.6.4 or later and FortiClient version 7.4.4 or later
