Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor


Greetings, If I have two security groups that are not permitted to access each other' s networks, and both are using SSL-VPN to connect, is there a way to provide each group with their own unique DNS server and suffix information when they connect in?
Contributor II

Hi, I' m not quite sure about it, but you can configure DNS servers in the CLI for a portal. For example: config vpn ssl web portal edit <portalname> config widgets edit <numberoftunnelwidget> set dns-server1 set dns-server2 end end You can try it, if it doesn' t work, you need to create seperate VDOMs for every portal
Valued Contributor III

I think having unique DNS servers is less of an issue. Even if they can resolve the unneeded names, it' s the access to them that each login should prevent. So using the same DNS but blocking access should be the goal. My 2 cents.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:

Bob - self proclaimed posting junkie!See my Fortigate related scripts at:

I ended up hacking the problem another way.


I created a "common" network that all VPN clients have access to, and placed a DNS server on that network, setting all VPN clients to use that DNS server while connected.  The DNS server knows about the domains that individual clients will request, and forwards requests to servers on the appropriate client network.  The firewall has ACLs to permit the DNS server to query the client networks DNS servers.


Downside to this solution is I can't push a dns suffix to clients, but other than that it works properly.

Top Kudoed Authors