Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
khoffman
Staff
Staff

Created on ‎03-05-2024 09:34 PM Edited on ‎03-05-2024 09:35 PM By Community Manager

Article Id 302961

Troubleshooting Tip: Domain resolution in Isolation networks

Description This article describes how to troubleshoot domain resolution in the isolation networks (Isolation, Registration, Remediation...etc) to allow hosts to resolve specific domains from Isolation. Examples include, the ability to download AntiVirus/OS updates and SSL certificate validation. 

When a device is connected to an isolation VLAN (e.g., Registration, Quarantine, DeadEnd), the NAC Server acts as the DNS server. Upon receipt of a DNS request from the isolated host, the appliance returns the IP address of the isolation interface (port 2) unless the domain is listed on the Allowed Domains page.

If a request for a domain listed in the Allowed Domains page is received, the appliance sends a request to the production DNS server for resolution.

To provide appropriate IP resolution to isolated devices for completing actions such as updating AV programs and SSL certificate authentication, this list should be updated as necessary.

Note:

The appliance does not act as a router or firewall. The host will use the existing network infrastructure to access the internet for AV and OS updates from the internet. FortiNAC only acts as the DNS server.
Scope FortiNAC-F v7.X.
Solution

Step 1: Identify which domains resolve to the Isolation interface.

  1. Login to the FortiNAC-F CLI as 'admin' and type:

execute enter-shell

  1. Generate a list of domains resolving to the isolation interface. Run one of the following commands:

Option 1: Generates a list of domains that all isolated hosts attempting to access, type:

grep PassThru /bsc/logs/named.log | cut -d' ' -f11 | sort | uniq -c | sort -rg

Option 2: Generate a list of domains a specific isolated host attempted to access.

grep <IP-Address-of-Host> -A1 /bsc/logs/named.log | grep PassThru | cut -d' ' -f11 |sort | uniq -c | sort -rg

Example:

 

grep 192.168.4.5 -A1 /bsc/logs/named.log | grep PassThru | cut -d' ' -f10 |sort | uniq -c | sort -rg

  1. Review the resulting list. The most commonly attempted domains are at the top of the file along with the number of times the domain was attempted to be accessed unsuccessfully.

Output example (actual list will be much longer):

 

2556 udbn4b.centralus.cloudapp.azure.com
2276 www.msftconnecttest.com
1584 wu-bg-shim.trafficmanager.net


Step 2: Add Domains to the Allowed Domains List.

 

Note:

Avoid adding domains used for Captive Network Assistant and the domain name of the FortiNAC. This will impact how the portal is displayed and agent communication from the Isolation network.

 

  1. Use the results from the previous step to determine which domains should be added to the Allowed Domains list for proper IP resolution. Depending upon company policies and configuration it may not be desirable to add all the missing domains.

For a list of domains, see the Domains to Add to Allowed Domains List reference manual in the Document Library.

  1. Add the domains to the Allowed Domains List and save. For instructions see the section Allowed domains in the Administration Guide.
  2. Verify the domain resolves to the appropriate IP address with the 'dig' command in the CLI. For instructions see KB article Verify IP resolution of a domain when in isolation.

Note:

The 'dig' command can be used to view the IP resolution of a specific domain, including any c-names used during resolution.

Those c-names should also added to the Allowed Domains List.

 

Step 3: Re-Test

  1. Flush the DNS cache on the computer. This ensures new DNS queries are sent and the domain names added to the list are resolved properly.
  2. Reconnect to the isolation network
  3. Validate from the end station that the host is receiving the expected DNS response.
  • If the domain is being resolved but the host cannot access the domain, troubleshoot the Isolation network
  • If the domain is not resolved Return to step 1 (Identify domains that are not resolving) to re-evaluate.

 

Related article: 
Troubleshooting Tip: Appliance domain in Allowed Domains List causes inconsistent agent communicatio...
607
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.