| Description |
This article describes an issue while adding a production domain name to the ‘Allowed Domains’ list. |
| Scope |
FortiNAC 9.4, FortiNAC-F-7.X. |
| Solution |
It is possible to receive an error like the one shown below while adding a production domain name to the 'Allowed Domains' list. Adding a production domain name may be required for various reasons: access provision, reachability for isolated hosts to reach out domain services, GPOs, etc:
This error means the domain can not be added to the list and, as explained in Technical Tip: Verify IP resolution of a domain when in isolation, the domain indeed is not in the 'Allowed Domains' list. It means any DNS lookups will end up with the isolation network interface's IP address, instead of DCs:
fortinac1 # execute enter-shell fortinac1:~$ dig @192.168.99.2 forti.lab ; <<>> DiG 9.18.19 <<>> @192.168.99.2 forti.lab ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48241 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: c1f31a7819a2dd04010000006800c7220ae2e7a811207748 (good) ;; QUESTION SECTION: ;forti.lab. IN A
;; AUTHORITY SECTION: forti.lab. 15 IN SOA isol.forti.lab. root.isol.forti.lab. 1 10800 3600 604800 86400
;; Query time: 0 msec ;; SERVER: 192.168.99.2#53(192.168.99.2) (UDP) ;; WHEN: Thu Apr 17 11:17:22 CEST 2025 ;; MSG SIZE rcvd: 112
fortinac1:~$ grep -i forti.lab /var/named/chroot/etc/zones.common fortinac1:~$
The root cause of the issue comes from the configured 'isolation DHCP scope'. According to the documentation (search for 'Isolation Field Definitions'), a field 'Domain name' should not be the same as a production DNS name:
In this example above, the only one Isolation network is configured. There could be several isolation networks configured, so none should have it.
After editing the 'Domain Name' to forti-iso.lab, there is no issue anymore with adding a production domain name to the 'Allowed Domains' list:
In the example above, a production domain name has already been added to the list. Reminder: Remember to select the 'Save settings' button after successfully adding a domain to the list.
CLI outputs:
fortinac1:~$ dig @192.168.99.2 forti.lab ; <<>> DiG 9.18.19 <<>> @192.168.99.2 forti.lab ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34331 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 1600995b37d60244010000006800cde56d4dd7e0ced5f8ca (good) ;; QUESTION SECTION: ;forti.lab. IN A
;; ANSWER SECTION: forti.lab. 600 IN A 192.168.40.10 forti.lab. 600 IN A 192.168.40.11
;; Query time: 0 msec ;; SERVER: 192.168.99.2#53(192.168.99.2) (UDP) ;; WHEN: Thu Apr 17 11:46:13 CEST 2025 ;; MSG SIZE rcvd: 98
fortinac1:~$ grep -i forti.lab /var/named/chroot/etc/zones.common zone "forti.lab" { fortinac1:~$
Related articles: |
