FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Description

 

The setting of the DNS suffix can be useful when it is required to resolve server names without typing the entire domain name when connected via IPsec Dial-Up or SSL VPN.

 

Scope

 

FortiGate


Solution

 

This configuration option is not available in the GUI interface, but it can be set using the CLI.
 
The commands are the following:
 
For IPsec VPN:
 
# config vpn ipsec phase1-interface
    edit <gateway_name>
        set mode-cfg enable
        set type dynamic
        set ipv4-dns-server1
        set ipv6-dns-server1
        set domain <domain>
    next
end
 
For SSL VPN
 
If applied to global settings, all connections will have the settings applied:
 
# config vpn ssl settings
    set dns-suffix example.com
end
 
It can also be applied for individual SSL VPN portals:
 
# config vpn ssl web portal
    edit <portal_name>
        set dns-suffix example.com
    next
end

If more than one domain suffix is needed, multiple entries can be added using a semicolon ";" without blank spaces as delimiter:

    # set dns-suffix example.com;example.org

Note: Starting with FortiOS 7.0.6 and 7.2.0, multiple domain suffix entries are not supported. 

Comments
aqils
Staff
Staff

Thanks for sharing this article.

Is there any limit for IPSEC?
I have a customer who said with IPSEC he was only able to add one DNS Suffix. While using SSL VPN he was able to add 3 DNS Suffix which covers most of the domains of their centers. 

Contributors