Hi all,
I hope you can help me, I am kind of new with Fortigate and networks, I was asked to disable internet access in our Domain Controller, so I thought "that is easy", so I configured a Rule to block internal interface - DC IP address to reach wan1 (internet). and it worked, but the thing now is that all domain computers are not able to access internet neither, any suggestion?
best regards
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, absolutely. Most of the installations I know use either PPPoE or DHCP to connect to the ISP, so they are assigned a "well known" DNS which they can trust. If you do too, make sure that in the wan interface setup you enable "Override system DNS" to assign the DNS dynamically.
In many networks I block DNS from the LAN to WAN, as clients should use the FGT (resp. the DC and the DC uses the FGT as last resort). Misconfigured clients will report quickly to the admin...
Quad8 DNS is reported to be collecting a lot of information. If you want to use a public DNS, use quad9 (9.9.9.9 or 9.9.9.10) instead.
I bet you have "a.b.c.0/24" as source address in the DENY policy. That will be effective for the whole LAN.
For a single host, use "a.b.c.d/32".
If that doesn't solve it, please post your policy here for review.
And of course "it's easy" :)
I would guess that the LAN clients didn't truly lose internet but lost DNS because your domain controller is the DNS server for your LAN clients and your block prevents it from doing recursive lookups to whatever DNS servers it is designed to talk to.
Either that or Ede was right and you set up the source address wrong, but I'm giving you benefit of the doubt ;) You can test if I'm right by trying to ping an Internet IP address like 8.8.8.8 from one of the LAN clients, then trying to ping www.google.com.
If I'm right, the former will work but the latter will break due to inability to resolve it. If so, you can fix this by adding a policy above your block policy that allows just DNS outbound from the domain controller and that should fix your issue. Alternatively you can give your LAN clients different DNS servers but that break some internal things so I wouldn't recommend it in an Active Directory environment.
@lobstercreed:
the obvious skipped me, thanks. You're probably right.
One hint though:
I would not allow the DC to contact an external DNS. Rather, configure the DC to ask the FGT for external names. Only the FGT knows at least one reliable DNS, namely the provider's DNS. DNS is security relevant, no host on a protected LAN should be able to contact arbitrary DNS in the world.
There are numerous posts on the forums how to configure the FGT to offer DNS on it's LAN interface. The DC would be the DNS for the clients, type 'recursive', and escalate requests for foreign hosts to the FGT.
If that is not clear to you, please post again and we'll post it here.
Thanks all of you for your comments, actually I did what @lobstercreed mentioned, I configured a policy to allow only DNS to the DC server, and it worked.
all computers in my domain have the DC IP address as a DNS, and the DC has its own IP address as DNS, and as the secundary 8.8.8.8, then your suggestion is to remove thet 8.8.8.8 and configure the fortigate to offer that service?
best regards
Yes, absolutely. Most of the installations I know use either PPPoE or DHCP to connect to the ISP, so they are assigned a "well known" DNS which they can trust. If you do too, make sure that in the wan interface setup you enable "Override system DNS" to assign the DNS dynamically.
In many networks I block DNS from the LAN to WAN, as clients should use the FGT (resp. the DC and the DC uses the FGT as last resort). Misconfigured clients will report quickly to the admin...
Quad8 DNS is reported to be collecting a lot of information. If you want to use a public DNS, use quad9 (9.9.9.9 or 9.9.9.10) instead.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.