Dear all,
I'm trying to set list of domain search on our Fortigate 200D (fortiOS 5.2) to push it on user's workstation when these users connecting on SSL VPN and/or WIFI SSID.
When users on Windows and Linux Workstation work's on LAN the workstation get lease with this kind of DNS configuration from Dhcpd (Linux) and Windows DHCP:
------ begin resolv.conf -----
search proddomain.lan devdomain.lan print.lan
10.20.20.1
10.20.20.2
10.20.20.3
----- end resolv.conf -------
I want repeat this.
Can you help me?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Unfortunately, you're limited to specifying two DNS servers and one suffix on the FortiGate.
However, if you use FortiClient to initiate tunnel-mode connections, you can run a script upon logon that could update the relevant host files to inject the same DNS servers and multiple suffixes.
Regards, Chris McMullan Fortinet Ottawa
Dear Chris,
Can you help to find this option on forticilient?
Is it possible to push prediffined scripts (For Unix) from the fortigate?
It's one of the fields in the XML configuration available on the FortiClient (standalone) or to be pushed from the FortiGate.
On our Docs site, the reference guide is available at: http://docs.fortinet.com/uploaded/files/2076/forticlient-xml-52.pdf
VPN settings begin on page 26, and SSL VPN specifically on page 29. What you're looking for are the tags <script> nested within <on_connect>. Here's the whole string:
<forticlient_configuration> <vpn> <sslvpn> <options> <enabled>1</enabled> <dnscache_service_control>0</dnscache_service_control> <!-- 0=disable dnscache, 1=do not tounch dnscache service, 2=restart dnscache service, 3=sc control dnscache paramchange --> <keep_connection_alive>1</keep_connection_alive> </options> <connections> <connection> <name>SSLVPN_Name</name> <description>Optional_Description</description> <server>ssldemo.fortinet.com:10443</server> <username>Encrypted/NonEncrypted_UsernameString</username> <single_user_mode>0</single_user_mode> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> </ui> <password>Encrypted/NonEncrypted_PasswordString</password> <certificate /> <warn_invalid_server_certificate>1</warn_invalid_server_ce rtificate> <prompt_certificate>0</prompt_certificate> <prompt_username>0</prompt_username> <on_connect> <script> <os>windows</os> <script> <script> <![CDATA[ net use x: \\server1\share /user:#username# #password# net use y: \\server2\share /user:#username# #password# net use z: \\server3\share /user:#username# #password# copy %temp%\*.logs z:\share\logs\ copy z:\files\*.* c:\files\ ]]> </script> </script> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script> <script> <![CDATA[ net use x: /DELETE net use y: /DELETE net use z: /DELETE ]]> </script> </script> </script> </on_disconnect> </connection> </connections> </sslvpn> </vpn> </forticlient_configuration>
The above is just an example, but it shows how you can mount network shares upon connecting and unmount them when disconnecting. You could use the 'net' command to apply other parameters. You'd need to craft the script locally on a machine first to test that it works, but you could then insert it within XML tags for client connections.
The two options for applying it would be: (a) restoring a config containing the script as a backup on each client manually; or (b) deploying the script using an Endpoint Control profile. FortiGates allow 10 free EC connections before you'd need a separate FortiClient license, but even beyond 10 clients you'd still have the manual option at your disposal.
To enable the push of custom XML configurations, modify the existing profile:
config endpoint-control profile
edit default
config forticlient-winmac-settings
set forticlient-advanced-cfg enable
end
end
Then, from the GUI, you can paste in the XML configuration as a block of text.
Regards, Chris McMullan Fortinet Ottawa
In case anyone is looking to actually use DHCP 119 with multiple search domains on their Fortigate, I will recount how I figured out a working config in 2019-07-03
For example
example.com
mary.example.com
bob.example.com
Break domains into non-'.' separated chunks
example
com
mary
bob
Get hex for each chunk from a hex converter (e.g. http://string-functions.com/string-hex.aspx)
example 6578616d706c65
com 636f6d
mary 6d617279
bob 626f62
Note the length of each string and prefix the string with the exact hex number in 2 digit format
7example 076578616d706c65
3com 03636f6d
4mary 046d617279
3bob 03626f62
Assemble your first domain and terminate it with a double digit hex zero character
7 e x a m p l e 3 c o m00
076578616d706c6503636f6d00
Assemble your next domain but eliminate and domain suffix that already exists in your search string! You will replace the suffix with a reference to a domain (ending in 00) that matches that value. The reference will consist of the 'c0' character and then the index, starting with 0 from the beginning of the string you are assembling.
7 e x a m p l e 3 c o m00 4 m a r yC000
076578616d706c6503636f6d00046d617279c000
In this case the index was 0, the beginning of the string.
We'll do this again for the 'bob.example.com'
7 e x a m p l e 3 c o m00 4 m a r yC000 3 b o bC000
076578616d706c6503636f6d00046d617279c00003626f62c000
As long as that resultant string is no longer than 255 characters, it should work as the hex payload in a FortiGate DHCP custom hexadecimal DHCP option 119. I successfully tested this with a
200D running v5.6.9 build1673 with a MacOS 10.14.5 client picking up the change successfully via a Wireless LAN after switching wifi networks and switching back.
Bonus: An alternate example with a non-zero index:
3 b o b 7 e x a m p l e 3 c o m00 4 m a r yC004
03626f62076578616d706c6503636f6d00046d617279c004
0 1 2 3 4
I hope this helps the next netadmin on down the line!
Regards,
Rick
References:
http://string-functions.com/string-hex.aspx
https://tools.ietf.org/html/rfc3397#section-2
Hi "rveader"
Thanks for your explanation, I made it works sucessfully on FGT90D and FGT101F
Here is the memo I write for my remember after reading your post and the RFC.
It contains my full use case with a real exemple using Fortigate DHCP option 119 for adding multiple search domains from DHCP, running now in production :
My search domains :
14rv.lan
oob.lan
storage.lan
lab.lan
fbx.lan
1) Preparation of the string
- 1a) cut the domains without the dots '.' - 1b) remove redondant extension (here '.lan' but keep it one tme for all domains) - 1c) convert to hex string using xxd from a simple linux shell :
Unfortunatly, my fortigate do not have xxd :
fnsysctl xxd -p test
can not find command xxd
So using the linux shell of my laptop ... exemple :
xxd -p <(echo -n 14rv)
WARNING : use 'echo -n' to avoid xxd adding 0a to the string for the next line echo print without '-n' option
A simple loop can help us calculating all HEX strings :
for terms in 14rv lan storage oob lab fbx ; do echo $terms `xxd -p <(echo -n $terms)` ; done
14rv 31347276
lan 6c616e
storage 73746f72616765
oob 6f6f62
lab 6c6162
fbx 666278
--> HEX conversion is :
14rv 31347276
lan 6c616e
storage 73746f72616765
oob 6f6f62
lab 6c6162
fbx 666278
2) add the number of digits of the domain to the domain in 2char hex format (ex: 4 => 04)
414rv 0431347276
3lan 036c616e
7storage 0773746f72616765
3oob 036f6f62
3lab 036c6162
3fbx 03666278
3) Assemble your first domain and terminate it with a double digit hex zero character :
414rv3lan00 => 0431347276036c616e00
4) Calculate the index and assembly the DHCP OPTION 119 HEX string
The redondant part of the domain is 'lan' => 3lan
We will replace the suffix with a reference to a domain (ending in 00) that matches that value. The reference will consist of the 'c0' character and then the index, starting with 0 from the beginning of the string you are assembling.
Here the string is :
ASCII : 414rv3lan00
HEX : 0431347276036c616e00
The redundant part of the string across all domains is :
3lan
BUT this redundant part is not the starting of the string, so we need to calculate the index : 3lan starting 5 char after the starting of the string 414rv3lan00 => SO the index is 5 (in 2 char hex => 05)
Now, we can assembly the string with the second domain :
ASCII : 414rv3lan007storagec005
HEX : 0431347276036c616e000773746f72616765c005
After doing again until the last domain :
ASCII : 414rv3lan007storagec0053oobc0053labc0053fbxc005
HEX : 0431347276036c616e000773746f72616765c005036f6f62c005036c6162c00503666278c005
5) Control the HEX string for DHCP OPTION 119 :
DHCP OPTION 119 only allow 255 char so we need to control our string :
echo 0431347276036c616e000773746f72616765c005036f6f62c005036c6162c00503666278c005 |wc -c
76
=> The string is 76 char length so it should be accepted by FortiGate DHCP OPTION 119
6) Configuring the FortiGate DHCP server with DHCP OPTION 119 :
config system dhcp server
edit 2
set default-gateway 10.0.20.250
set netmask 255.255.255.0
set interface "v20"
config ip-range
edit 1
set start-ip 10.0.20.101
set end-ip 10.0.20.149
next
edit 2
set start-ip 10.0.20.55
set end-ip 10.0.20.55
next
end
config options
edit 1
set code 119
set value "0431347276036c616e000773746f72616765c005036f6f62c005036c6162c00503666278c005"
next
end
config reserved-address
edit 1
set ip 10.0.20.55
set mac 24:5e:be:43:b3:73
set description "QNAP-sfp+-lap-nba"
next
end
set dns-server1 10.0.20.254
set ntp-server1 10.0.20.254
next
end
7) testing DHCP show now the search string after renewing the lease :
--> Restarting the connection :
23:50:04 nba@lap-nba:~$ nmcli connection down sfp+nba0
Connexion « sfp+nba0 » désactivée (chemin D-Bus actif : /org/freedesktop/NetworkManager/ActiveConnection/10)
23:50:19 nba@lap-nba:~$ nmcli connection up sfp+nba0
Connexion activée (chemin D-Bus actif : /org/freedesktop/NetworkManager/ActiveConnection/11)
--> Verifying the search domains are presents :
23:50:23 nba@lap-nba:~$ nmcli connection show sfp+nba0 |grep domain_search
DHCP4.OPTION[9]: domain_search = 14rv.lan. storage.lan. oob.lan. lab.lan. fbx.lan.
DHCP4.OPTION[18]: requested_domain_search = 1
23:50:35 nba@lap-nba:~$ cat /etc/resolv.conf
# Generated by NetworkManager
search 14rv.lan storage.lan oob.lan lab.lan fbx.lan
nameserver 10.0.20.254
nameserver 10.0.30.254
nameserver 10.0.50.254
Hope it could help someone (don't need internet access, only a Linux shell and a Fortigate)
Thanks again to 'rveader" which made the big part of the job !
Regards, nbanba
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.