FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 240231


This article describes how to make the web mode SSL VPN resolve the internal DNS.




All FortiGates and SSL VPN Web Mode.




When connected by Web Mode of SSL VPN FortiGate acts as a proxy server. This means the request from the SSL VPN web mode user will be sent to FortiGate and a separate request will be opened on FortiGate to the destination.


It will result that on the FortiGate, for the second session, it will be self-originating traffic:


SSL VPN user===========FortiGate {Session 1}

FortiGate==============Destination behind FortiGate interface{Session2}


So, any traffic that will be passing for session 2 will check the FortiGate DNS server when trying to resolve the DNS query and not the DNS settings on SSL VPN settings.


If trying to access a bookmark/URL using the quick connection, the URL will be resolved through internal DNS. FortiGate will try to lookup for the IP address in FortiGate's DNS and if both primary and secondary are public or the FortiGuard servers the following error will appear:




In order to resolve this issue make sure that one of the DNS servers has internal DNS to resolve it and DNS local name and if the Internal DNS server cannot resolve the internet queries mention a public DNS to resolve internet queries.


Example: under Network -> DNS:




And if the Internal DNS can resolve internet queries then do not mention it as the internal DNS which will be able to resolve the internet and Web Mode DNS (internal) queries.


From CLI:


# config system DNS

    set primary         <- To resolve internet queries.

    set secondary   <- To resolve internal queries.

    set domain "local.fgt"