I am trying to implement the shadow-ztna feature so I do not have to host dns entries for internal resources on the public internet.
I am using the below 7.2.5 administration guide. It states that the command is hidden but on the 200F running 7.2.5 the command is missing entirely. Is there a specific feature that needs to be enabled or some pre-configuration so the command can be used.
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/708477
Solved! Go to Solution.
Hi @aguerriero
As per the given configuration example I have tested in the lab. Post enabling "add-vhost-domain-to-dnsdb " setting in the access-proxy for the ZTNA configured server able to see the entry in the database under shadow-ztna
e.g.:-
config firewall access-proxy
edit "ztna"
set vip "ztna"
set client-cert enable
set add-vhost-domain-to-dnsdb enable
next
end
show full-configuration system dns-database
config system dns-database
edit "test1.test.com"
set status enable
set domain "test1.test.com"
set type primary
set view shadow-ztna
set ttl 86400
set authoritative enable
unset forwarder
set source-ip 0.0.0.0
config dns-entry
edit 1
set status enable
set type A
set ttl 86400
set hostname "test1.test.com"
set ip 172.18.82.66
next
end
unset allow-transfer
set primary-name "test1.test.com"
set contact "fgt-ztna"
next
Please confirm the access-proxy and VIP configuration for the ZTNA server. And make sure to enable below setting
add-vhost/domain-to-dnsdb
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Hi @aguerriero
ZTNA shadow cannot be configured or edited in the GUI or CLI.
For e.g.:-
config firewall access-proxy
edit <name>
set add-vhost/domain-to-dnsdb {enable | disable}
next
end
You need to enable "set add-vhost/domain-to-dnsdb " in the access-proxy setting all virtual hosts and TCP forwarding domains in the access proxy will be added under config system dns-database.
Please refer to the below guide for your reference:-
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Yes, entries cannot be edited. But this line in the 7.2.5 administration guide says I can view shadow ztna entries.
Hi @aguerriero
As per the given configuration example I have tested in the lab. Post enabling "add-vhost-domain-to-dnsdb " setting in the access-proxy for the ZTNA configured server able to see the entry in the database under shadow-ztna
e.g.:-
config firewall access-proxy
edit "ztna"
set vip "ztna"
set client-cert enable
set add-vhost-domain-to-dnsdb enable
next
end
show full-configuration system dns-database
config system dns-database
edit "test1.test.com"
set status enable
set domain "test1.test.com"
set type primary
set view shadow-ztna
set ttl 86400
set authoritative enable
unset forwarder
set source-ip 0.0.0.0
config dns-entry
edit 1
set status enable
set type A
set ttl 86400
set hostname "test1.test.com"
set ip 172.18.82.66
next
end
unset allow-transfer
set primary-name "test1.test.com"
set contact "fgt-ztna"
next
Please confirm the access-proxy and VIP configuration for the ZTNA server. And make sure to enable below setting
add-vhost/domain-to-dnsdb
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1757 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.