FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
herzogk
Staff
Staff
Description
This article describes the situation when utilizing a FortiExtender interface for SD-WAN and the mobile ISP DNS is overriding the FortiGate system DNS.

This can be a problem as often DNS servers provided by the mobile carrier only allow connections for carrier clients.
In this case DNS traffic across all other SD-WAN member interfaces will fail.

This behavior is caused by the ‘set dns-server-override‘ being enabled by default on interface settings and the fact that often a mobile ISP provide services via DHCP.

Solution
To correct it, disable this setting under the FortiExtender virtual interface on the FortiGate.
 
Disabling this prevents the interface from using a DNS server acquired via DHCP or PPPoE.

# config system interface
    edit <name of your FortiExtender interface>
        set dns-server-override disable
    end

Contributors