We are operating a pair of 100D Hardware Appliances (v6.2.4 build 1112 GA), running HA in an Active/Passive configuration and in Flow Mode. Our FortiGate 100D Appliances sit at the edge of our wireless network.
We recently upgraded to v6.2.4 as per a Fortinet Support recommendation to address an IPS Engine fault.
However, we are now seeing issues regarding slow DNS resolution which results in loss of Internet access to our users.
We are using external DNS Servers provided by our ISP (BT). After a period of days the latency of these servers increases until the FortiGate 100D states that they are 'unreachable'. At this point Internet access for our wireless network users is lost.
We do have DNS Filtering enabled to block botnet domains, but we are NOT using the FortiGuard Category Based Filter. I think this has been mentioned somewhere else on this site as a possible cause of slow DNS resolution.
Fortinet Support have recommended that we change our external DNS Servers from BT to something like Google DNS, but I think this won't make any difference as we use the same BT DNS Servers for our wired network users and there has been no such issue there. Our wired and wireless networks are two completely separate entities.
Any suggestions as to how this issue could be resolved would be much appreciated.
Fortinet Support further recommended an upgrade to v6.2.5 as it may be related to a Known Issue (635589):
"From your message I understood that you have issues that after a while DNS is dropping and after a while no traffic is possible anymore. The description that a reboot is needed to bring the device back online sounds like you are matching Known Issue 635589"
I have just upgraded the appliances to v6.2.5 and am waiting to see if this actually resolves the issue.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.