- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Firewall Policy / DNS Integration
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firewall Policy / DNS Integration
Hi,
my query is mix and match and hopes that someone will definitely help me to get me out of this with your expertise. i am very thankful to all of you.
1. I have Windows DNS of Network "192.0.0.x" with the local domain "example.com" and my website is also with the same name "example.com" that is hosted on remote cloud/VPS.
2. I have VLAN infrastructure and my Wireless LAN Network is '172.16.2.0".
3. My Local DNS has the "A" Record of my public website domain. and the public website is perfectly accessible from the Same Network (192.0.0.x).
4. When I try to access the example.com (Website) from 172.16.2.0 Network. it is not accessible from 172.16.2.x network. while the when i ping the www.example.com it is going reachable. and traceroute is also be going ok.
5. Question is : how to make changes in Fortigate firewall that "www.example.com" is being accessible from the local network of other vlan subnet.
Labels:
- Labels:
-
FortiGate
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have Windows DNS of Network "192.0.0.x" with the local domain "example.com" and my website is also with the same name "example.com" that is hosted on remote cloud/VPS.
--> May i know what is the ip address of the example.com and how it is connected to the existiing network
When I try to access the example.com (Website) from 172.16.2.0 Network. it is not accessible from 172.16.2.x network. while the when i ping the www.example.com it is going reachable. and traceroute is also be going ok.
If the ping is getting reachable i believe you should be able to webserver for http access as well, when you are pinging are you getting response from expected ip address?
Did you define any rules in the webserver to access site only from specifci ip address?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure. IP Address of www.example.com is 204.93.161.x. yes when i ping example.com (Which is local domain) it responsed perfectly from 192.0.0.x and when i ping www.example.com it also responed from 204.93.161.x.
2ndly i haved checked the http and https allow in policy but the result was the same. even i have allow all services and any destination but i was still unable to access from the other vlan local subnet (172.16.2.x).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure. IP Address of www.example.com is 204.93.161.x. yes when i ping example.com (Which is local domain) it responsed perfectly from 192.0.0.x and when i ping www.example.com it also responed from 204.93.161.x.
---could you please explain this line again, you mean to say dns lookup domain is resolving to two different ipa ddress?
can you do nslookup from the problematic subnet and see what is the ip address it is resolving to?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit the firewall policy that is allowing ping and traceroute toward your destination (www.example.com), and add http & https to the allowed services.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, I had also done this, and even allowing any service in the policy is not affect the requirement. and the site is still inaccessible from the local subnet of other VLAN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please ty this steps:
- Enable all logs in that policy
- try some ping tests and http(s) access tests from your client
- right click on the policy and click on "show matching logs" sub-menu
- take a screenshot share with us (must show source, destination, service, result)
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when you can succesfully ping the example.com from out of the other net that means that dns works correctly and routing/Policy works correctly.
It also means that the network config on the example.com webserver has to be correct because with no or wrong default gw you would get no ping reply (unless there is a static or connected route there)
If you say even with any service allowed in the policy http(s) to the example.com does not work that looks more like some limit of the webserver running there like local os firewall on that webserver or something like that.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try to access the example.com (Website) from 172.16.2.0 Network. it is not accessible from 172.16.2.x network.
When you say you are not able to access, could you confirm what is the exact error are you seeing. You may also check in the policy where this traffic is matching, if the web-filter is called. If it is so, could you please make sure the domain/category is not blocked.
Related Posts
- What does it means? 130 Views
- Trying to get Google Workspace to... 57 Views
- Internet data not passing from firewall 106 Views
- 2 VIP with same external IPs 181 Views
- Users do not get VLANs DHCP... 184 Views
Labels
-
FortiGate
6,569 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
337 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Email filter profile
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.