Hello
I just replaced my old FortiGate 100 with a new FortiGate 90D and there are still a few things that behave differently than before.
When I’m connected to my FortiAP with a phone I’m unable to retrieve mail from my internal mail server, or any other internal servers by name, but I can access external sites. My phone is on “wireless” interface 10.10.10.10/255.255.255.0 and my servers are on “internal” interface 192.168.1.254/255.255.255.0
Perhaps related to this, or not, the desktops on my LAN are able to reach external websites, but are unable to reach sites on internal servers by FQDN (eg: [link]http://apps.domain.com/bigtime).[/link] They can reach sites on internal servers by UNC (//whitney/bigtime)
I have a feeling I need some additional policies. Any ideas?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When I’m connected to my FortiAP with a phone I’m unable to retrieve mail from my internal mail server, or any other internal servers by name, but I can access external sites. My phone is on “wireless” interface 10.10.10.10/255.255.255.0 and my servers are on “internal” interface 192.168.1.254/255.255.255.0
Do you have an internal dns server and are you leasing this dns server address to you wireless client? If you do this and the internal dns server returns internal address for names then it will work.
If you are using public dns server then the problem and the solution will be same for you next question.
Perhaps related to this, or not, the desktops on my LAN are able to reach external websites, but are unable to reach sites on internal servers by FQDN (eg: http://apps.domain.com/bigtime). They can reach sites on internal servers by UNC (//whitney/bigtime)
I have a feeling I need some additional policies. Any ideas?
Configure vip and policies as per this KB:
The wireless SSID used by my internal users specifies “Same as System DNS” under WiFi > SSID. My system DNS is an internal DNS specified as 192.168.1.5 under System > Network > DNS.
I just found something. Our internal DNS considers our local domain to be ourdomain.local, not ourdomain.com. It seems that our old FortiGate recognized names entered as ourdomain.com to be local, but not the new FortiGate.
That is, if I lookup [link=http://apps.ourdomain.com/bigtime]http://apps.ourdomain.com/bigtime[/link] from the LAN then the site is not found, but if I lookup [link=http://apps.ourdomain.local/bigtime]http://apps.ourdomain.local/bigtime[/link] the site is found (but I'm prompted for credentials as if it's not an internal site). This is true for wired and wireless users alike.
Is there a straight forward fix for this? Thanks again.
generaltab wrote:The wireless SSID used by my internal users specifies “Same as System DNS” under WiFi > SSID. My system DNS is an internal DNS specified as 192.168.1.5 under System > Network > DNS.
I just found something. Our internal DNS considers our local domain to be ourdomain.local, not ourdomain.com. It seems that our old FortiGate recognized names entered as ourdomain.com to be local, but not the new FortiGate.
That is, if I lookup [link=http://apps.ourdomain.com/bigtime]http://apps.ourdomain.com/bigtime[/link] from the LAN then the site is not found, but if I lookup [link=http://apps.ourdomain.local/bigtime]http://apps.ourdomain.local/bigtime[/link] the site is found (but I'm prompted for credentials as if it's not an internal site). This is true for wired and wireless users alike.
Is there a straight forward fix for this? Thanks again.
If you are using internal dns server (192.168.1.5) then it is upto the server to consider local domain, I don't think old fortigate was doing anything (unless you configured dns server in firewall itself).
BTW what is domain you are leasing in dhcp which will be used for dns suffix?
If you can provide the old fortigate config, we can have a look.
So straight fix will be fixing the dns server and if you can't fix it then use the method mentioned in KB.
Thanks. The DHCP (server option 015) lease includes both domain suffixes, but the primary is ourdomain.local
I will keep looking in this direction, but if anyone notices any obvious problems, please let me know.
H:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ws015
Primary Dns Suffix . . . . . . . : ourdomain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ourdomain.local
ourdomain.com
Ethernet adapter Local Area Connection 7:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Fortinet virtual adapter
Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . : ourdomain.local
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-13-20-04-3F-24
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.151
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.5
DNS Servers . . . . . . . . . . . : 192.168.1.5
Primary WINS Server . . . . . . . : 192.168.1.5
Lease Obtained. . . . . . . . . . : Monday, February 23, 2015 1:09:49 PM
Lease Expires . . . . . . . . . . : Tuesday, March 03, 2015 1:09:49 PM
I see now that I need to configure split DNS to have a zone for ourdomain.local resolution and another zone for ourdomain.com resolution. I wonder why this wasn't needed until we replaced our FortiGate? It must have been doing something somewhere..
generaltab wrote:I see now that I need to configure split DNS to have a zone for ourdomain.local resolution and another zone for ourdomain.com resolution. I wonder why this wasn't needed until we replaced our FortiGate? It must have been doing something somewhere..
I can't think of anything and chances are less that there was anything in Fortigate. But if you are sure that the only change is Fortigate then only way to find out is looking at the previous fortigate config.
Thanks. This doesn't appear to be a DNS issue after all. When I ping host.ourdomain.local, the correct internal IP is resolved and I get a response. When I ping host.ourdomain.com, the correct external IP is resolved, but I get no response. That is, DNS is correctly resolving the .com names to their external IPs, but they don't respond when reached from the LAN. Now it seems more like a policy problem to me..
Hello
I'm still unable to reach my internal machines from the LAN the way I was previously able to.Here's a demonstration of the problem:
H:\>ping -n 1 diablo
Pinging diablo.aliquot.local [192.168.1.11] with 32 bytes of data:
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.11: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>ping -n 1 diablo.aliquot.com
Pinging diablo.aliquot.com [64.145.110.91] with 32 bytes of data:
Request timed out.
Ping statistics for 64.145.110.91: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
H:\>ping -n 1 diablo.aliquot.local
Pinging diablo.aliquot.local [192.168.1.11] with 32 bytes of data:
Reply from 192.168.1.11: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.1.11: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
H:\>
As you can see, the external IP is correctly resolved when I ping diablo.aliquot.com, but I get no reply. The internal IPs are also correctly resolved when I ping either diablo or diablo.aliquot.local, and I get a response. This problem began only after I replaced my old FortiGate-100 with my new FortiGate 90D, so I've attached the config from the old device. I did notice that on the old device, under System > Network > Options tab, there's an "Enable DNS forwarding from" option that don't see on the new device. Could that be the missing piece?
Thanks again.
As the old device was running pretty old code, there are lot of behavior changes in new version so I can't say for sure how it was working.
From the old config I can see that vip was setup with external interface so if it is configured the same way access using public ip will not work in new version (VIP should be set to any)
In the new version of FortiOS as we are trying to access the server using public address(vip) from LAN we need to configure vip and policies as per this KB:
Try to configure as above and I am pretty sure it should work.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.