Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

Created on ‎08-08-2023 08:57 AM

FortiOS shadow-ztna dns option missing from 7.2.5

I am trying to implement the shadow-ztna feature so I do not have to host dns entries for internal resources on the public internet. 

I am using the below 7.2.5 administration guide. It states that the command is hidden but on the 200F running 7.2.5 the command is missing entirely. Is there a specific feature that needs to be enabled or some pre-configuration so the command can be used.

Capture5.PNG



https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/708477 

944
0 Kudos
1 Solution
pgautam
Staff
Staff
In response to aguerriero

Created on ‎08-08-2023 12:13 PM

Hi @aguerriero 

 

As per the given configuration example I have tested in the lab. Post enabling "add-vhost-domain-to-dnsdb " setting in the access-proxy for the ZTNA configured server able to see the entry in the database under shadow-ztna

e.g.:-

config firewall access-proxy

edit "ztna"
set vip "ztna"
set client-cert enable

set add-vhost-domain-to-dnsdb enable

next

end

 

show full-configuration system dns-database
config system dns-database
edit "test1.test.com"
set status enable
set domain "test1.test.com"
set type primary
set view shadow-ztna
set ttl 86400
set authoritative enable
unset forwarder
set source-ip 0.0.0.0
config dns-entry
edit 1
set status enable
set type A
set ttl 86400
set hostname "test1.test.com"
set ip 172.18.82.66
next
end
unset allow-transfer
set primary-name "test1.test.com"
set contact "fgt-ztna"
next

 

Please confirm the access-proxy and VIP configuration for the ZTNA server. And make sure to enable below setting

add-vhost/domain-to-dnsdb

 

Regards

Priyanka

 

 

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

View solution in original post

916
3 REPLIES 3
pgautam
Staff
Staff

Created on ‎08-08-2023 11:08 AM

Hi @aguerriero 


ZTNA shadow cannot be configured or edited in the GUI or CLI.

For e.g.:-

config firewall access-proxy
edit <name>
set add-vhost/domain-to-dnsdb {enable | disable}
next
end
You need to enable "set add-vhost/domain-to-dnsdb " in the access-proxy setting all virtual hosts and TCP forwarding domains in the access proxy will be added under config system dns-database.


Please refer to the below guide for your reference:-

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/708477/mapping-ztna-virtual-host-and...

Regards
Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

932
0 Kudos
aguerriero
Contributor II
In response to pgautam

Created on ‎08-08-2023 11:24 AM

Yes, entries cannot be edited. But this line in the 7.2.5 administration guide says I can view shadow ztna entries. 

Capture12321.PNG



922
0 Kudos
pgautam
Staff
Staff
In response to aguerriero

Created on ‎08-08-2023 12:13 PM

Hi @aguerriero 

 

As per the given configuration example I have tested in the lab. Post enabling "add-vhost-domain-to-dnsdb " setting in the access-proxy for the ZTNA configured server able to see the entry in the database under shadow-ztna

e.g.:-

config firewall access-proxy

edit "ztna"
set vip "ztna"
set client-cert enable

set add-vhost-domain-to-dnsdb enable

next

end

 

show full-configuration system dns-database
config system dns-database
edit "test1.test.com"
set status enable
set domain "test1.test.com"
set type primary
set view shadow-ztna
set ttl 86400
set authoritative enable
unset forwarder
set source-ip 0.0.0.0
config dns-entry
edit 1
set status enable
set type A
set ttl 86400
set hostname "test1.test.com"
set ip 172.18.82.66
next
end
unset allow-transfer
set primary-name "test1.test.com"
set contact "fgt-ztna"
next

 

Please confirm the access-proxy and VIP configuration for the ZTNA server. And make sure to enable below setting

add-vhost/domain-to-dnsdb

 

Regards

Priyanka

 

 

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

 

917
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.