If I have two security groups that are not permitted to access each other' s networks, and both are using SSL-VPN to connect, is there a way to provide each group with their own unique DNS server and suffix information when they connect in?
I' m not quite sure about it, but you can configure DNS servers in the CLI for a portal.
config vpn ssl web portal
You can try it, if it doesn' t work, you need to create seperate VDOMs for every portal
I think having unique DNS servers is less of an issue. Even if they can resolve the unneeded names, it' s the access to them that each login should prevent. So using the same DNS but blocking access should be the goal.
My 2 cents.
I created a "common" network that all VPN clients have access to, and placed a DNS server on that network, setting all VPN clients to use that DNS server while connected. The DNS server knows about the domains that individual clients will request, and forwards requests to servers on the appropriate client network. The firewall has ACLs to permit the DNS server to query the client networks DNS servers.
Downside to this solution is I can't push a dns suffix to clients, but other than that it works properly.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.