- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Need an internal -> internal policy for LAN access...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need an internal -> internal policy for LAN access to internal servers??
Hello
I just replaced my old FortiGate 100 with a new FortiGate 90D and there are still a few things that behave differently than before.
When I’m connected to my FortiAP with a phone I’m unable to retrieve mail from my internal mail server, or any other internal servers by name, but I can access external sites. My phone is on “wireless” interface 10.10.10.10/255.255.255.0 and my servers are on “internal” interface 192.168.1.254/255.255.255.0
Perhaps related to this, or not, the desktops on my LAN are able to reach external websites, but are unable to reach sites on internal servers by FQDN (eg: [link]http://apps.domain.com/bigtime).[/link] They can reach sites on internal servers by UNC (//whitney/bigtime)
I have a feeling I need some additional policies. Any ideas?
Thanks
21 REPLIES 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I’m connected to my FortiAP with a phone I’m unable to retrieve mail from my internal mail server, or any other internal servers by name, but I can access external sites. My phone is on “wireless” interface 10.10.10.10/255.255.255.0 and my servers are on “internal” interface 192.168.1.254/255.255.255.0
Do you have an internal dns server and are you leasing this dns server address to you wireless client? If you do this and the internal dns server returns internal address for names then it will work.
If you are using public dns server then the problem and the solution will be same for you next question.
Perhaps related to this, or not, the desktops on my LAN are able to reach external websites, but are unable to reach sites on internal servers by FQDN (eg: http://apps.domain.com/bigtime). They can reach sites on internal servers by UNC (//whitney/bigtime)
I have a feeling I need some additional policies. Any ideas?
Configure vip and policies as per this KB:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The wireless SSID used by my internal users specifies “Same as System DNS” under WiFi > SSID. My system DNS is an internal DNS specified as 192.168.1.5 under System > Network > DNS.
I just found something. Our internal DNS considers our local domain to be ourdomain.local, not ourdomain.com. It seems that our old FortiGate recognized names entered as ourdomain.com to be local, but not the new FortiGate.
That is, if I lookup [link=http://apps.ourdomain.com/bigtime]http://apps.ourdomain.com/bigtime[/link] from the LAN then the site is not found, but if I lookup [link=http://apps.ourdomain.local/bigtime]http://apps.ourdomain.local/bigtime[/link] the site is found (but I'm prompted for credentials as if it's not an internal site). This is true for wired and wireless users alike.
Is there a straight forward fix for this? Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
generaltab wrote:The wireless SSID used by my internal users specifies “Same as System DNS” under WiFi > SSID. My system DNS is an internal DNS specified as 192.168.1.5 under System > Network > DNS.
I just found something. Our internal DNS considers our local domain to be ourdomain.local, not ourdomain.com. It seems that our old FortiGate recognized names entered as ourdomain.com to be local, but not the new FortiGate.
That is, if I lookup [link=http://apps.ourdomain.com/bigtime]http://apps.ourdomain.com/bigtime[/link] from the LAN then the site is not found, but if I lookup [link=http://apps.ourdomain.local/bigtime]http://apps.ourdomain.local/bigtime[/link] the site is found (but I'm prompted for credentials as if it's not an internal site). This is true for wired and wireless users alike.
Is there a straight forward fix for this? Thanks again.
If you are using internal dns server (192.168.1.5) then it is upto the server to consider local domain, I don't think old fortigate was doing anything (unless you configured dns server in firewall itself).
BTW what is domain you are leasing in dhcp which will be used for dns suffix?
If you can provide the old fortigate config, we can have a look.
So straight fix will be fixing the dns server and if you can't fix it then use the method mentioned in KB.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. The DHCP (server option 015) lease includes both domain suffixes, but the primary is ourdomain.local
I will keep looking in this direction, but if anyone notices any obvious problems, please let me know.
H:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ws015
Primary Dns Suffix . . . . . . . : ourdomain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ourdomain.local
ourdomain.com
Ethernet adapter Local Area Connection 7:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Fortinet virtual adapter
Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . : ourdomain.local
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-13-20-04-3F-24
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.151
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.5
DNS Servers . . . . . . . . . . . : 192.168.1.5
Primary WINS Server . . . . . . . : 192.168.1.5
Lease Obtained. . . . . . . . . . : Monday, February 23, 2015 1:09:49 PM
Lease Expires . . . . . . . . . . : Tuesday, March 03, 2015 1:09:49 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see now that I need to configure split DNS to have a zone for ourdomain.local resolution and another zone for ourdomain.com resolution. I wonder why this wasn't needed until we replaced our FortiGate? It must have been doing something somewhere..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
generaltab wrote:I see now that I need to configure split DNS to have a zone for ourdomain.local resolution and another zone for ourdomain.com resolution. I wonder why this wasn't needed until we replaced our FortiGate? It must have been doing something somewhere..
I can't think of anything and chances are less that there was anything in Fortigate. But if you are sure that the only change is Fortigate then only way to find out is looking at the previous fortigate config.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. This doesn't appear to be a DNS issue after all. When I ping host.ourdomain.local, the correct internal IP is resolved and I get a response. When I ping host.ourdomain.com, the correct external IP is resolved, but I get no response. That is, DNS is correctly resolving the .com names to their external IPs, but they don't respond when reached from the LAN. Now it seems more like a policy problem to me..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I'm still unable to reach my internal machines from the LAN the way I was previously able to.Here's a demonstration of the problem:
H:\>ping -n 1 diablo
Pinging diablo.aliquot.local [192.168.1.11] with 32 bytes of data:
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.11: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>ping -n 1 diablo.aliquot.com
Pinging diablo.aliquot.com [64.145.110.91] with 32 bytes of data:
Request timed out.
Ping statistics for 64.145.110.91: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
H:\>ping -n 1 diablo.aliquot.local
Pinging diablo.aliquot.local [192.168.1.11] with 32 bytes of data:
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.11: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>
As you can see, the external IP is correctly resolved when I ping diablo.aliquot.com, but I get no reply. The internal IPs are also correctly resolved when I ping either diablo or diablo.aliquot.local, and I get a response. This problem began only after I replaced my old FortiGate-100 with my new FortiGate 90D, so I've attached the config from the old device. I did notice that on the old device, under System > Network > Options tab, there's an "Enable DNS forwarding from" option that don't see on the new device. Could that be the missing piece?
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the old device was running pretty old code, there are lot of behavior changes in new version so I can't say for sure how it was working.
From the old config I can see that vip was setup with external interface so if it is configured the same way access using public ip will not work in new version (VIP should be set to any)
In the new version of FortiOS as we are trying to access the server using public address(vip) from LAN we need to configure vip and policies as per this KB:
Try to configure as above and I am pretty sure it should work.
Related Posts
- Management and internal 108 Views
- Fortigate DNS Database (conditional DNS forwarder)... 84 Views
- 2 VIP with same external IPs 175 Views
- Users do not get VLANs DHCP... 169 Views
- How to configure physical internal switch... 100 Views
Labels
-
FortiGate
6,566 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.