FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 302745
Description This article describes how to use the FQDN address object in FortiGate when the DNS resolution changes dynamically.
Scope All supported versions of FortiOS.

In cases where Websites with multiple servers have a load balanced between multiple locations, the DNS resolution can change dynamically. This may lead the DNS resolution of the client to not coincide with the DNS resolution of the FortiGate for a specific FQDN address


In this case, the client will create a connection request with an IP that does not match the IP resolved by the Firewall for the same domain name and the connection will be dropped by the Firewall.


The solution is to configure the FortiGate as a DNS server and make sure that the client sends the DNS request to FortiGate. The DNS resolution for the client and the FortiGate will be the same, so the Policy will be matched.


Below are the steps to configure the FortiGate as a DNS forwarder:

  • Go to Network -> DNS Servers and create a New DNS service.
  • Select the interface on which the service will be listening.
  • Select the mode Forward to System DNS.