Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎10-29-2015 05:35 PM Edited on ‎01-13-2026 11:34 PM By Community Manager

Article Id 194750

Technical Tip: How to configure DNS suffix for SSL VPN and IPsec VPN on FortiGate

Description

 

This article describes how to configure a DNS suffix can simplify name resolution by allowing users connected through IPsec dial-up or SSL VPN to access servers without entering the full domain name. For example, users can connect to a server using server123 instead of server123.example.com.

 

Scope

 

FortiGate.


Solution

 

DNS suffix configuration is supported only via the CLI and is not available in the GUI.
 
For SSL VPN:
If applied to global settings, all connections will have the following settings applied:
 
config vpn ssl settings
    set dns-suffix example.com
end
 
For VDOM-enabled FortiGate:
 
config vdom
    edit <vdom name>
        config vpn ssl settings
      set dns-suffix example.com
end
 
It can also be applied to individual SSL VPN portals:
 
config vpn ssl web portal
    edit <portal_name>
        set dns-suffix example.com
    next
end
 
For VDOM-enabled FortiGate:
 
config vdom
    edit <vdom name>
        config vpn ssl web portal
            set dns-suffix example.com
end

If more than one domain suffix is needed for SSL VPN, multiple entries can be added using a semicolon ';' without blank spaces as a delimiter:
 
set dns-suffix example.com;example.org
 
IPsec Dial-up VPN:
Starting from FortiOS v7.6.4 and v8.0.0, the DNS suffix option is available in the IPsec VPN phase1 configuration when the type is set to dynamic and mode-cfg is enabled.
 
IKEv1 IPsec VPN:
Configure the default DNS domain:
 
config vpn ipsec phase1-interface
    edit <tunnel_name>
        set mode-cfg enable
        set type dynamic
        set ipv4-dns-server1
        set ipv6-dns-server1
        set unity-support enable                   <----- This needs to be enabled to use the 'set domain' command.
        set domain example.com                     <----- This sets the default DNS domain for VPN clients.
    next
end
 
For VDOM-enabled FortiGate:
 
config vdom
    edit <vdom name>
        config vpn ipsec phase1-interface
         edit <tunnel_name>
             set mode-cfg enable
             set type dynamic
             set ipv4-dns-server1
             set ipv6-dns-server1
             set unity-support enable           <----- This needs to be enabled to use the 'set domain' command.
             set domain example.com             <----- This sets the default DNS domain for VPN clients.
            next
        end
    next
end
 

Note regarding DNS Suffixes for IPsec tunnels:

IKEv1 only supports assigning a single DNS suffix/domain (no support for multiple domains). The 'unity-support' must be enabled, as this feature will push the DNS suffix to the client end.

 
IKEv2 IPsec VPN (requires FortiOS v7.6.4, v8.0.0 or later and FortiClient Windows v7.4.4 or later):
Configure one or more default DNS domains:
 
config vpn ipsec phase1-interface
    edit <tunnel_name>
        set mode-cfg enable
        set ike-version 2
        set type dynamic
        set ipv4-dns-server1
        set ipv6-dns-server1
        set dns-suffix-search example.com        <----- This sets the default DNS domain for VPN clients.
    next
end
 
For VDOM-enabled FortiGate:
 
config vdom
    edit <vdom name>
        config vpn ipsec phase1-interface
         edit <tunnel_name>
             set mode-cfg enable
             set ike-version 2
             set type dynamic
             set ipv4-dns-server1
             set ipv6-dns-server1
             set dns-suffix-search example.com         <----- This sets the default DNS domain for VPN clients.
            next
        end
 
IKEv2 supports assigning multiple DNS suffixes/domains. They must be separated by a space.
 
set dns-suffix-search example1.com example2.com example3.com

Note: 
If the command 'internal-domain-listis previously set under phase 1, the command 'dns-suffix-searchwill not be available. It is required to remove the command 'internal-domain-listand then specify 'dns-suffix-search'.
 
config vpn ipsec phase1-interface
    edit <tunnel name>
        unset internal-domain-list
        set dns-suffix-search example1.com example2.com example3.com
    next
end

IKEv2 workarounds:

In FortiClient v7.4.3 and earlier, learning DNS suffix from FortiOS is not supported, but it is possible to manually set DNS suffixes on the VPN adapter.

 

To set the DNS suffix on the Windows FortiClient IPsec VPN adapter:

  1. Open Start Menu and search for 'ncpa.cpl' or 'View network connections'.

    neg2.PNG

 

  1. Select the interface with the alias 'Fortinet Virtual Ethernet Adapter'.

    0.PNG
  2. Select 'Internet Protocol Version 4 (TCP/IPv4)' > Select 'Properties'.

    1.PNG

 

  1. Select 'Advanced'.

    2.PNG
  2. Select 'DNS' Tab -> In the 'DNS suffix for this connection' field, enter the desired internal domain -> Select 'OK'

    3.PNG
  3. Connect to VPN.

In FortiClient Windows v7.4.4 and later, it is possible to set dns_suffix_list manually for per IKEv2 connection in IPsec VPN XML, see IPsec VPN.

 

FortiClient macOS and FortiClient Linux do not yet support dns_suffix_list as of FortiClient v7.4.4.

 
Related documents:
202467
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.