Fortigate 101F
v7.2.4 Build 1396 (Feature)
I am trying to wrap my head around the DNS settings on the firewall.
1. Currently the appliance is configurd to use the DNS of Fortiguard Servers. is it best we change it to Internal DNS servers? The support team advises to keep the fortiguard servers DNS. However, we understand it is best to keep the Internal DNS servers & add the local domain name.
2. DDNS - only if we use the Fortiguard DNS, we can use the Fortiguard DDNS. If we specify our Internal DNS servers, we need to configure a 3rd party DDNS like NOIP etc.
3. MTU value is set to 1500, is it best to change it as per what our ISP supports which is 1462. if so, how?
Appreciate advise on what is best practice. If you notice on the screenshot, there is 110ms & 120ms latency, which goes to 230ms & 290ms
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi psunith76,
I tried with a little answer.
1. DNS - For this topic it depends on what you want to achieve and if you want to implement the Fortigate DNS Security tools like DNS-Filters.
My "best practice" is to point the Fortigates DNS Servers to externally servers like, 1.1.1.1 or 9.9.9.9, FortiGuard Servers work as well, but they come with malware and reputation filters, which you maybe want, maybe not. :)
I also add the internal DNS Zones into the DNS Database "Network > DNS Servers" (feature may be hidden, enable in Feature Visibility) These internal zones then get configured with my internal DNS Servers as the zones forwarders. Like this, the Fortigate is able to resolve FQDNs which are located in your internal zones and can be used for FQDN Address objects etc.
If you want you can configure dns-service on interfaces of the fortigate as well and attach a DNS filter right there. That way you know what your clients are trying to resolve and can attach category based filters, which I highly recommend.
2. DDNS is only necessary, if the IP from your ISP is "dynamic", which means it changes regularly and for this you want a DNS Record pointing to that ip-address e.g. for VPN.
-> if this is the case, you can certainly use FortiDDNS, other Services like NOIP work fine as well. No real best practice there. NOIP needs manual verification every 30days afaik.
3. MTU Size can be configured on the desired interface directly.
e.g.
"config system interface"
"edit wan1"
"set mtu-overrride enable"
"set mtu 1462"
"end"
Hope this helps.
Best Regards
Nils
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1698 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.