FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes an issue where FortiGate fails to generate logs for DNS queries from client machines when the DNS service is enabled using a Virtual IP mapped an internal interface IP address.
Scope
FortiGate v7.2.7, v7.2.8, v7.2.9, v7.2.10 and v7.4.5.
Solution
When FortiGate has a DNS service enabled on an interface, and clients access the DNS server using a Virtual IP on the FortiGate, no DNS query log is generated. Although no log is generated, the FortiGate's DNS service receives the query and responds as configured.
Sample Configuration:
config system interface edit "dns-loopback" set vdom "vdom1" set ip 10.100.100.1 255.255.255.0 set allowaccess ping ssh telnet set type loopback set role lan next end
config system dns-server edit "dns-loopback" set mode forward-only set dnsfilter-profile "dnsfilter_fgd" next end
config firewall vip edit "DNS_vip" set service "ALL" set extip 10.1.100.2 set mappedip "10.100.100.1" set extintf "port1" next end
config firewall policy edit 1 set name "vip" set srcintf "port1" set dstintf "dns-loopback" set action accept set srcaddr "all" set dstaddr "DNS_vip" set schedule "always" set service "ALL" set nat enable next end
This issue has been resolved in FortiOS version 7.6.1.
