Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Split DNS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Split DNS
I configured sslvpn with split-tunneling and split-dns. Split-tunneling works fine, but split-dns not. It looks like all dns requests are sent to the remote dns, instead of only the specified domains.
config split-dns
edit 1
set domains "domain.com,sub.domain.com"
set dns-server1 192.168.100.10
set dns-server2 192.168.100.20
next
end
Resolving hosts on the remote network is fine, however local dns names are not working. Drive mappings on my client time out after a while (probably dns record ttl) and are inaccessible, rdp and web no longer are able to connect to local resources unless I use IP addresses.
My client is on a local network with it's own dns servers, and like to keep access to local resources.
All local resources are available though, so split-tunneling is ok.
Using dnslookup for local network entries does work, however that's because it connects to the local dns server using ip.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
On my side I am still experiencing the issue. I have set in both the tunnel mode ssl web portal profile and in the ssl vpn settings, dns-suffix someclient.com and 2 dns servers.
When I connect with FC 6.4.0.1464 (latest as of now) to the client FG500E running 6.4.1 - in Windows 10 my ethernet adapter is prepended with the client's 2 DNSs set in the ssl config and seems that all DNS requests are going via the tunnel. Since the 2 DNS IPs are added manually at the top on my ethernet adapter even for my local domain I am sending requests via the tunnel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The release notes of 6.4.0.1464 contain an entry regarding split-dns, so I guess support might have thought this would fix the issue.
Edit: I added an note to the support ticket with links to the online help and 2 KB articles explaining how split-dns should work. You might want to create a support ticket aswell. Maybe this will help?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran into this too during configuring ipsec tunnels for homeoffice here. I found that split dns will only work this way: you can set dns server(s) and domain via gui (or FMG gui if you have and prefer). This is what you already have done. You still must set dns mode to manual and for unknown reasons Fortinet did not include this option in gui (on FMG it is in gui somewhere in the advanced settings of the ipsec phase). Also it is not shown in cli as long as it has the default value. Default value for dns mode is auto or something like that. With this the Tunnel will not do split dns. Once you set dns mode to manual (and maybe reconnect your vpn client afterwards) it shoud work. It did so here...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, however it looks like dns-mode is a ipsec only command. We're using sslvpn.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://kb.fortinet.com/kb/documentLink.do?externalID=FD48421 describes exactly what I need... if only it would work 
Unfortunately I'm unable to proceed with support since I don't have a EMS/FCT license. Apparently they also do not accept bug reports for free software... too bad.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hm don't know. We don't use ssl vpn at all so can't say much about it.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just had a call with Fortinet support. The support engineer was kind enough to show me a working split-dns configuration using an interim built of the FortiClient. So the issue is actually being fixed :)
My ticket is now closed (as I don't have a valid FCT/EMS license), but at least I know a fix is coming. Unfortunately he could not tell when the new version will be available. The fix is most likely to be included in 6.2 and 6.4 clients, but the internal ticket did not mention 6.0.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so...have we come to the conclusion that despite advertising this functionality, at present Fortigate does not in fact offer functional Split-DNS over SSL VPN capability without some esoteric combination of firmware and/or Forticlient (paid or unpaid)?
I have a remoteapp in our datacenter my VPN users need to access. The folks on-site at the local office are directed over IPSEC to the DC. No problem. Custom entries on the local DNS server make that happen.
My work at home folks use SSL VPN to the home office to connect to shared drives. They can be routed to the datacenter, but they get MUCH better performance connecting to the RD Gateway directly. We are in a somewhat remote area with limited home office internet performance.
So at this point with no functional SSLVPN SPLIT-DNS, am i forced to wait for a fix, or is there some combination of Forticlient (paid or unpaid) and firmware which will allow it?
The current solution is "Connect to the RDGateway first. Then connect the Remoteapp."
This is wrong on SO many levels. Think about how ridiculous it is that one should need to RESEARCH firmware versions to find one where standard, advertised functions actually work. "So and so works with B firmware but not C firmware. You need to upgrade/downgrade." That is asinine.
It's basic blocking and tackling. Do this junk happen with other major firewall vendors? I swear it's always SOMETHING with these Fortinet boxes. Love-hate relationship if there ever was one.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm that split DNS was fixed in FortiClient 6.2.8.
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiAP-231G intermittently goes offline. 145 Views
- Forticlient EMS Cloud a reliability/stability and... 138 Views
- FortiSandbox File On-Demand 159 Views
- Issues with IPsec VPN and RTSP... 190 Views
- SSL VPN is not doing split... 290 Views
Labels
-
FortiGate
8,407 -
FortiClient
1,700 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
403 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
FortiWeb
197 -
5.0
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.