Fortigate 40C DNS forwarder missing in 5.0

Oddl · ‎08-16-2013

Hi, just while updating to 5.0 update 4 I recognized the DNS forwarder does not work anymore. the options are missing from the GUI and CLI comnpletely. What the hell was wrong with that feature to discontinue it? Just for the small customers that we usually reccommend the small Fortigate Firewalls this feature is important. Why can Fortinet not even mention it in the release notes that there were essential options removed? I see some mentioning of a discussion in this forum that I cannot access in the search because it may be too long ago. One gets the advice to move back to 4.3. Does this mean all smaller Fortigate Units will be discontinued now, even the ones we just recently sold???

I am quite unhappy to be left out of the information loop. What can we expect from next 5.0 releases? regards, Thomas.

Fortigate Partner Munich, Germany http://www.initsol.de

ede_pfau · ‎08-16-2013

For current patch levels of FortiOS 5, there are some features left out with the smaller units (below 60C). One of these is the local DNS server (DNS database) on a 40C, as reported here: https://forum.fortinet.com/FindPost/91108 But that would not touch your problem - DNS forwarding has to be functional or else the FGT would not be able to serve as DHCP/DNS/gateway in small networks. So, my suspicion is that this setting is CLI only. Apart from that, running 4.3.14 on the 40C isn' t such a bad idea, after all. Rock solid and not too resource intensive. Forum Search is not limited in scope - dunno how you set it up but you can select " all entries" in the " within" parameter field.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

ede_pfau · ‎08-16-2013

And what about this?

 config system dns-server
    edit <intf_name>
       set mode {forward-only | non-recursive | recursive}
    end
 end

Straight from the v5.0 CLI Guide, pg. 507.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Oddl · ‎08-16-2013

Well this SHOULD WORK, and it does on a Fortigate 60C, but not on a 40C...

ORIGINAL: ede_pfau And what about this?
 config system dns-server
    edit <intf_name>
       set mode {forward-only | non-recursive | recursive}
    end
 end
Straight from the v5.0 CLI Guide, pg. 507.

And I think it' s also " great" that I have to waste time checking the 5.0 manual just to find that it doesn' t work as supposed... Nowhere I see it mentioned that the 40C has reduced features now. Thomas.

Fortigate Partner Munich, Germany http://www.initsol.de

ede_pfau · ‎08-17-2013

I don' t think it doesn' t work on a 40C. Release Notes would have mentioned this. How come you' re so sure that the 40C doesn' t have this feature? As I see it, there are 2 ways to proceed now: 1. Open a support ticket and let Fortinet fix this. 2. Try to track down the failure, kind of like this: you state that " it doesn' t work" - how do you notice? Are there any error messages (in the CLI)? If you deduct this from what you observe how DNS requests are not answered, did you debug this? Are requests coming in, going out, being replied to? I do have a 40C laying around here but hesitating to rig it up for this...that' s where option #1 comes in. Fortinet support ain' t helpless.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Oddl · ‎08-17-2013

ORIGINAL: ede_pfau I don' t think it doesn' t work on a 40C. Release Notes would have mentioned this. How come you' re so sure that the 40C doesn' t have this feature? As I see it, there are 2 ways to proceed now: 1. Open a support ticket and let Fortinet fix this. 2. Try to track down the failure, kind of like this: you state that " it doesn' t work" - how do you notice? Are there any error messages (in the CLI)? If you deduct this from what you observe how DNS requests are not answered, did you debug this? Are requests coming in, going out, being replied to? I do have a 40C laying around here but hesitating to rig it up for this...that' s where option #1 comes in. Fortinet support ain' t helpless.

Thank you, you must be thinking I' m clueless... I opened a support ticket and they told me just those CLI commands and when I told them that they only produce an error they finally wrote that " further research" showed them that those commands do not exist in 40C Fortigates anymore since 5.0. The firewall simply ignores DNS requests from clients on the internal or external network. And yes - I wasted a lot of time reading the release notes and 5.0 manual just to find out that the mentioned functions were removed without notice or release warning. Thomas.

Fortigate Partner Munich, Germany http://www.initsol.de

Dave_Hall · ‎08-17-2013

I can confirm from my own 40C that the dns-database and dns-server sections were removed when upgrading from 4.0 MR3 patch 14 to 5.0.4....

 
 FWF40C3911000XXX # config system dns?
 dns             dns configuration
 dns-database    dns-database
 dns-server      dns-server
 
 FWF40C3911000XXX # config system dns
 
 The system is going down NOW !!
 
 Please stand by while rebooting the system.
 Restarting system.
 Ã¼
 
 FortiWifi-40C (11:21-11.28.2011)
 Ver:04000004
 Serial number: FWF40C3911000XXX
 CPU(00): 525MHz
 Total RAM: 512MB
 Initializing boot device...
 Initializing MAC... nplite#0
 Press any key to display configuration menu...
 ......
 Reading boot image... 1718752 bytes.
 Initializing firewall...
 
 System is starting...
 
 
 FWF40C3911000XXX login: admin
 Password:
 Welcome !
 
 FWF40C3911000XXX # config system d?
 ddns     Configure DDNS.
 dhcp     Configure DHCP.
 dhcp6    Configure DHCPv6.
 dns      Configure DNS.
 
 FWF40C3911000XXX # config system d?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Dave_Hall · ‎08-17-2013

And yes - I wasted a lot of time reading the release notes and 5.0 manual just to find out that the mentioned functions were removed without notice or release warning.

If you use the search link (at the top of this page) you will see older complaints about this and other items removed from the 40C. For me it was the VDOMs. I originally bought the 40C (last year) with the intent of using it for studying for the FCNSA/FCNSP exams -- the 40C was smallest unit (at the time) to support VDOMS. If I had known at that time that features on (4.0. MR3) was going to be removed when upgrading to 5.0, I would have likely gone with a 60C.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

ede_pfau · ‎08-18-2013

OK, I get that you' ve been digging into this a lot more than you' ve mentioned. Wasted time on just a rant. What keeps you from downgrading to 4.3? (OK, sorry, you are not really looking for a workaround, I forgot.)

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Oddl · ‎08-18-2013

I am sorry if I waste your time, but a workaround for me doesn' t mean that I pay for a product including Firmware upgrades just recently and then have to use an old version and never update again? How work-around is that? An - btw we have several customers that are currently looking forward to by a fortigate 40C which I currently cannot reccomend anymore. The 60C is 50% more expensive - is this a way to create revenue? I cannot imagine that DNS forward/relay would use up so much CPU that it had to be removed. I am still waiting for an official statement from Fortinet how they would like to handle this going forward. Thomas.

Fortigate Partner Munich, Germany http://www.initsol.de