FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anthony_E
Community Manager
Community Manager
Article Id 197416

Description

 

This article describes the requirements needed for the FortiGate to be able to intercept, process and reply the DNS queries coming over the SSL VPN tunnel.

Scope

 

Topology:

Windows FortiClient (IP: 10.10.10.100) - FortiGate (local dns database).

Solution

 

In some cases, users have SSL VPN working to allow communications with devices on the LAN/internal interface, but the DNS of the FortiGate LAN IP is not answering. In these cases, it is sometimes sufficient to add the SSL VPN tunnel interface as 'recursive' in the 'DNS Services on Interface' section, which should allow it to answer DNS without additional configuration for queries originating from the SSL VPN interface and subnet.

 

If this solution does not suffice or more information is necessary, consult the rest of this article.

 

Configure the following in the CLI:

VPN configuration

 

config vpn ssl settings
    set status enable
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
    set dns-server1 10.180.20.2
    set source-interface "wan2"
    set source-address "all"
    set source-address6 "all"
    set default-portal "tunnel-access"
end

 

Local interface used in DNS:

 

config system interface
    edit "loopback_test"
        set vdom "root"
        set ip 10.180.20.2 255.255.255.255
        set allowaccess ping
        set type loopback
        set role lan
        set snmp-index 52
    next
end

 

Firewall policy to allow DNS traffic

 

config firewall policy
    edit 4
        set name "DNS- policy"
        set srcintf "ssl.root"
        set dstintf "loopback_test"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "DNS"
        set nat enable
        set users "guest"
    next
end

 

Local DNS database configuration

 

config system dns-database
    edit "Local-server"
        set domain "fortinet.com"
        set ttl 900
        set authoritative disable

config dns-entry

edit 1

set hostname "first"

set ip 172.16.1.1

next

end

next

end

 

Enable DNS service on both interface (dialup and local interface).

 

config system dns-server
    edit "loopback_test"

next
edit "ssl.root"
next

end

 

Next, connect the SSL VPN.

 

Testing implementation

 

C:\Users\fortinet>nslookup first.fortinet.com
Server:  UnKnown
Address:  10.180.20.2

Non-authoritative answer:
Name:    first.fortinet.com
Address:  172.16.1.1

Contributors