- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Locally generated traffic for DNS n...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes the scenario where a SD-WAN rule for locally generated DNS traffic is configured with source address, the traffic will not be matched to SD-WAN rule unless 'source-ip' is not defined under ‘config system dns’.
Alternatively, in order to match the SD-WAN rule for DNS traffic, the source address configured has to be removed.
Scope
For version 6.2.4 and onward.
Solution
Configuration.
With the new command introduced in v6.2.4, a method can be selected for locally originated traffic.
It can either be SD-WAN, auto or specific interface (see related article).
Having interface-select-method as SD-WAN under DNS configuration, the traffic has to be match SD-WAN rule.
However, since there is no source-ip defined under ‘config system dns’, it will not.
If there is no 'source-ip' defined under 'config system dns' before matching SD-WAN rule, DNS does not know which source to use and 'source-ip' field will be 0 and will not match that rule.
Solution.
1) Configure 'source-ip' under ‘config system dns’ and use that as source in SD-WAN rule.
## DNS config: ##
This article describes the scenario where a SD-WAN rule for locally generated DNS traffic is configured with source address, the traffic will not be matched to SD-WAN rule unless 'source-ip' is not defined under ‘config system dns’.
Alternatively, in order to match the SD-WAN rule for DNS traffic, the source address configured has to be removed.
Scope
For version 6.2.4 and onward.
Solution
Configuration.
# config system virtual-wan-linkDNS Configuration.
set status enable
# config members
edit 1
set interface "wan1"
set gateway 10.191.19.1
next
edit 2
set interface "wan2"
set gateway 10.191.35.1
next
end
# config service
edit 2
set name "dns"
set mode sla
set dst "all"
set src "10.191.35.75" "10.191.19.75"
# config sla
edit "internet"
set id 1
next
end
set priority-members 2 1
next
end
end
# config system dns
set primary 208.91.112.52
set interface-select-method sdwan
end
With the new command introduced in v6.2.4, a method can be selected for locally originated traffic.
It can either be SD-WAN, auto or specific interface (see related article).
Having interface-select-method as SD-WAN under DNS configuration, the traffic has to be match SD-WAN rule.
However, since there is no source-ip defined under ‘config system dns’, it will not.
# diagnose firewall proute listNote.
list route policy info(vf=root):
id=0x7f060001 vwl_service=1(DNS) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=11 oif=7
source(2): 10.191.35.75-10.191.35.75 10.191.19.75-10.191.19.75
destination(1): 208.91.112.52-208.91.112.52
hit_count=0 last_used=2020-07-03 15:45:15
If there is no 'source-ip' defined under 'config system dns' before matching SD-WAN rule, DNS does not know which source to use and 'source-ip' field will be 0 and will not match that rule.
Solution.
1) Configure 'source-ip' under ‘config system dns’ and use that as source in SD-WAN rule.
## DNS config: ##
# config system dns## SD-WAN config ##
set primary 208.91.112.52
set source-ip 10.191.19.75
set interface-select-method sdwan
end
# config system virtual-wan-link
# config service
edit 2
set name "dns"
set mode sla
set dst "all" <----- Destination as all.
set src "10.191.19.75” <----- Define source.
next
end
end# diagnose firewall proute listThis is not an ideal solution in scenarios where the configuration has multiple SD-WAN interfaces and a dynamic DNS 'source-ip' selection is required.
list route policy info(vf=root):
id=0x7f080001 vwl_service=1(DNS) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=11 oif=7
source(2): 10.191.19.75-10.191.19.75
destination(1): 0.0.0.0-255.255.255.255
hit_count=15 last_used=2020-07-09 09:52:01
2) Avoid using source in the SD-WAN rule and use destination instead with IP of DNS server.
## SD-WAN config ### config system virtual-wan-linkThe traffic will match with the SD-WAN rule then.
# config service
edit 2
set name "dns"
set mode sla
set dst " 208.91.112.52" <----- Define DNS server here.
set src "all” <----- Configure source as all.
next
end
end# diagnose firewall proute listRelated document.
list route policy info(vf=root):
id=0x7f070001 vwl_service=1(DNS) vwl_mbr_seq=1 2 dscp_tag=0xff 0xff flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 sport=0:65535 iif=0 dport=1-65535 oif=11 oif=7
source(1): 0.0.0.0-255.255.255.255 <---- Source removed.
destination(1): 208.91.112.52-208.91.112.52
hit_count=2 last_used=2020-07-03 15:47:14
https://docs.fortinet.com/document/fortigate/6.2.4/cli-reference/27620/system-dnsRelated Articles
Technical Tip: Functionality of 'set interface-select-method' for local-traffic with SD-WAN
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.