| Description |
This article describes what to do when the TS Agent FSSO users are unable to resolve DNS. |
| Scope |
FortiGate v7.2, v7.4, v7.6. TS Agent. |
| Solution |
Here, the TS Agent user information is present in the (# diag firewall auth list) output, TS Agent has allocated ports 1025-1224 and 1225-1424 to it:
Firewall policy:
However, when trying to access webpages, it is not able to load as it cannot resolve DNS:
Running a debug flow, the source port of this traffic flow is different from the port range allocated by the TS Agent (1025-1224 and 1225-1424):
This is because, similar to ICMP/ping and SMB, DNS traffic does not have ports, so it does not use the port-range that is assigned by the TS Agent, resulting in the inability to match the identity-based firewall policy, so the traffic gets dropped.
Solution: Create a separate firewall policy without the TS Agent FSSO user group, specifically for DNS traffic:
This firewall policy will ensure that only DNS traffic can pass through without identity verification.
In the Forward Traffic logs, the HTTPS traffic to webpages uses the Source Port allocated by the TS Agent (1025-1224 and 1225-1424):
Whereas the DNS to the DNS servers matches the newly created DNS firewall policy:
Related articles: |
