FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff
Article Id 194750

Description

 

This article describes how setting the DNS suffix can be useful when it is required to resolve server names without typing the entire domain name when connected via IPsec Dial-Up or SSL VPN.

 

Scope

 

FortiGate.


Solution

 

This configuration option is not available in the GUI interface, but it can be set using the CLI. Note that 'set domain' and 'unity-support' commands are only available when using IKEv1 only. 
 
The commands are the following:
 
For IPsec VPN:
 
config vpn ipsec phase1-interface
    edit <gateway_name>
        set mode-cfg enable
        set type dynamic
        set ipv4-dns-server1
        set ipv6-dns-server1
        set unity-support enable    <- This needs to be enabled in order to use 'set domain' command.
        set domain <domain>
    next
end
 
For SSL VPN:
 
If applied to global settings, all connections will have the following settings applied:
 
config vpn ssl settings
    set dns-suffix example.com
end
 
It can also be applied to individual SSL VPN portals:
 
config vpn ssl web portal
    edit <portal_name>
        set dns-suffix example.com
    next
end

If more than one domain suffix is needed, multiple entries can be added using a semicolon ';' without blank spaces as delimiter:
 
set dns-suffix example.com;example.org
Comments
aqils
Staff
Staff

Thanks for sharing this article.

Is there any limit for IPSEC?
I have a customer who said with IPSEC he was only able to add one DNS Suffix. While using SSL VPN he was able to add 3 DNS Suffix which covers most of the domains of their centers.