Ever since the firewall was set up, the DNS to contact the domain hmf.local is not working. Does the firewall inspect internal DNS queries? The local DC is the DNS server and FG is the DHCP server. The DC can be pinged from workstations. The FG is connected to the DC via LDAP.
For e.g., This stops VPN users from changing their passwords remotely.
This stops Windows machines joining domain.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What DNS server IPs the DHCP server (FGT) is providing to those devices? If it's the DC's IP address as the primary DNS, the devices should be able to get the local DNS name resolved by the DC.
Toshi
The devices can access internet and LAN. They can ping to DC by IP and hostname.
Screenshot in the link.
https://docs.google.com/document/d/1RSBxAKuxMs3LfCdJEggbRl9M_7DS7hsPq8Wx8pv1aU8/edit?usp=sharing
No. I'm talking about DHCP server config on the FGT. If CLI, under "config system dhcp server". Or, alternatively you can confirm it with "ipconfig /all" on a windows machine to see what primary DNS server IP the device is getting over DHCP on the ethernet interface (or wifi interface).
Toshi
In GUI, under the interface config like below. This is my home FGT's phone VLAN interface config. Obviously I don't have any internal domain/DNS so just pointing to the Google DNS IPs.
Toshi
Thank you, for taking time to help me. I have already tried that with no success.
Created on 08-28-2024 11:22 PM Edited on 08-28-2024 11:24 PM
What do you mean "already tried"? You changed it back? Back to what IPs?
If the DC ip is like 192.168.100.100/24, you need to set that IP as "DNS server 1" in the DHCP config.
Then the device should get it in "ipconfig /all" like below:
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : 64-00-6A-5C-A9-67
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8f85:5968:d8ab:bc77%8(Preferred)
IPv4 Address. . . . . . . . . . . : 10.68.3.231(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . : 10.68.3.225
DHCPv6 IAID . . . . . . . . . . . : 576979050
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-89-1C-B1-64-00-6A-5C-A9-67
DNS Servers . . . . . . . . . . . : 8.8.8.8 <--- 192.168.100.100 should show here
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled
Toshi
Before posting here, I have already tried both "Specify" and "Same as system DNS". In both cases the client will show the correct DNS server (the domain controller) in ipconfig. And none of that helped in resolving the issue.
Then I don't think the problem is the FGT. I would run Wireshark on the DC server to see the DNS request packets from the devices and what the DC/DNS server is returning to the device.
And further, you might want to move a device from the current subnet/interface of the FGT to the same subnet/interface on the DC server and configure the IP/DNS statically on the device to make sure it would work as well.
Toshi
FG, DC/DNS and local clients are in the same VLAN and subnet.
For e.g. FG 192.168.x.a
DNS/DC : 192.168.x.b
Clients : 192.168.x.c and onwards.
Subnet: same for all the above.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.