Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Andrew3791
New Contributor

Not able to resolve DNS - Registration License unreachable

Hi, The FG-100D units are in a A-P HA cluster on v4 MR3 Patch 6 firmware. I am trying to set the main DNS server in System -> Network -> DNS -> Primary and Secondary DNS Server entries. The problem is that these DNS Server IPs are pingable from the CLI, and traceroute shows they go from WAN1 -> local internet gateway router and pings external DNS server, but when I try and execute a ping with a DNS FQDN (e.g. www.google.com) this cannot resolve. I have hosts in internal subnets behind the firewall using the DNS and resolving queries and accessing the web ok, so this appears to be an issue only from FGT units. The License Registration details cannot be obtained or updates received because this cannot access Fortinet online services. Can anyone help me out with some guidance on where to next? Thank you.
6 REPLIES 6
Carl_Wallmark
Valued Contributor

Hi, Check the release notes, i have read something about the FG100D have a missconfigured management vdom as default, and the solution was something like: config system global set management-vdom root end

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Carl_Wallmark
Valued Contributor

Found it: FortiOS v4.0 MR3 Patch Release 6 introduces support for the FortiGate-100D platform. Included with this model is a special purpose management port that operates on its own virtual domain (VDOM). An issue exists with this feature whereby FortiCare registration fails when initiated from the FortiGate device if this port is connected to the Internet and thus FortiGuard and FortiCare. Upgrading the FortiOS image from its factory default image (build 4083) to FortiOS v4.0 MR3 Patch Release 6 or later does not switch the management VDOM. You must change the management VDOM from the default setting to the root VDOM. To do this, use the following CLI commands: config system global set management-vdom root end

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Andrew3791

What can I say - you must have a Photographic memory. This has worked, so Ping now works, it looks like the registration is starting to function, and we were having issues with Syslog to a remote syslog server so i' m off to check if this is fixed now too. Thank you!!! You are a life saver.
unsecur3d

Just as an fyi, this is still the same solution for other firewall models under the same scenario. Just got a 60E on 6.4.9 working with this fix. 

Carl_Wallmark
Valued Contributor

No problem ;) Why read a book in bed when you can read a FortiGate manual 100 times

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
CG_5766
New Contributor

Thank you - this resolved my issue. First time experiencing registration issues. Opened support request and Fortinet Support response was to wait minimum of 48 hrs for registration process - have never seen it take more then 30 minutes. Thanks again for sharing
Labels
Top Kudoed Authors