Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fiiiiiiii
New Contributor

Created on ‎06-08-2024 12:47 PM

Fortigate and active directory integration

Good evening everyone,
i am unable to correctly configure the integration of an fgt100e on active directory... in particular i am referring to DNS filtering.

With my current configuration in the DNS filter logs i don't see the origin of the requests from the clients connected to the domain, i always see that all dns requests come from the domain controller.

The domain is still old type like mycompany.local and we recently introduced 365 and added a mycompany.com upn, a detail not to be underestimated (iI think).

the fortigate is gateway of the main network with the ip address 192.168.1.254, the main domain controller is 192.168.1.1. and the secondary 1.2, both Windows Server 2022.
the connected PCs (w10/w11) use two DNS 1.1, 1.2.

 

I've tried everything now, here's the first doubt.
dns forwarders on domain controllers, do i have to enter the IP address of the fortigate?

use root hints checked or not? (i think no).

my goal, if it is easily manageable, would be to block the use of public DNS from the internal network by passing everything through the fortigate...

 

example img:
img1.jpg

 

In the Fortigate DNS logs i find these damned unknow query types ... 

img2.jpg

and while i was writing it also occurred to me another problem regarding other dns error like _ldap._tcp.site1._sites.domaincontroller1.mycompany.local , query type SRV, blocked (implicit deny).
this error appears when doing a test, using fortinet as a dns server on a win client, i think it concerns _msdcs.mycompany.local. I was thinking about the zone transfer... I have doubts about this too.

 

correct?

img3.jpg

img4.jpg

img5.jpg

Furthermore, the fact that we have currently added the mycompany.com upn to the mycompany.local domain worries me about a possible DNS leakage... is it real or just my fantasy?


if someone is willing to help me even by paying for the service, there is no problem.

I have a headache... :)

 

Labels:
240
0 Kudos
1 REPLY 1
ebilcari
Staff
Staff

Created on ‎06-09-2024 01:22 AM

What is the main goal here, you just want to apply DNS filter for end hosts?

The simplest way I'm thinking of is to leave the public forwarders configured in the DCs, configure FGT to use the DC as primary DNS servers, configure the DHCP scopes to give the GW as DNS to end host and filter the DNS traffic of end hosts only. If you don't want to add any domain or DNS records on the FGT you can leave it to forward all the requests to the DC:

fwd.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
150
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.