- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiOS shadow-ztna dns option missing from 7.2.5
I am trying to implement the shadow-ztna feature so I do not have to host dns entries for internal resources on the public internet.
I am using the below 7.2.5 administration guide. It states that the command is hidden but on the 200F running 7.2.5 the command is missing entirely. Is there a specific feature that needs to be enabled or some pre-configuration so the command can be used.
 
https://docs.fortinet.com/document/fortigate/7.2.5/administration-guide/708477
Solved! Go to Solution.
- Labels:
-
FortiClient
-
FortiClient EMS
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aguerriero
As per the given configuration example I have tested in the lab. Post enabling "add-vhost-domain-to-dnsdb " setting in the access-proxy for the ZTNA configured server able to see the entry in the database under shadow-ztna
e.g.:-
config firewall access-proxy
edit "ztna"
set vip "ztna"
set client-cert enable
set add-vhost-domain-to-dnsdb enable
next
end
show full-configuration system dns-database
config system dns-database
edit "test1.test.com"
set status enable
set domain "test1.test.com"
set type primary
set view shadow-ztna
set ttl 86400
set authoritative enable
unset forwarder
set source-ip 0.0.0.0
config dns-entry
edit 1
set status enable
set type A
set ttl 86400
set hostname "test1.test.com"
set ip 172.18.82.66
next
end
unset allow-transfer
set primary-name "test1.test.com"
set contact "fgt-ztna"
next
Please confirm the access-proxy and VIP configuration for the ZTNA server. And make sure to enable below setting
add-vhost/domain-to-dnsdb
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aguerriero
ZTNA shadow cannot be configured or edited in the GUI or CLI.
For e.g.:-
config firewall access-proxy
edit <name>
set add-vhost/domain-to-dnsdb {enable | disable}
next
end
You need to enable "set add-vhost/domain-to-dnsdb " in the access-proxy setting all virtual hosts and TCP forwarding domains in the access proxy will be added under config system dns-database.
Please refer to the below guide for your reference:-
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, entries cannot be edited. But this line in the 7.2.5 administration guide says I can view shadow ztna entries.
 
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aguerriero
As per the given configuration example I have tested in the lab. Post enabling "add-vhost-domain-to-dnsdb " setting in the access-proxy for the ZTNA configured server able to see the entry in the database under shadow-ztna
e.g.:-
config firewall access-proxy
edit "ztna"
set vip "ztna"
set client-cert enable
set add-vhost-domain-to-dnsdb enable
next
end
show full-configuration system dns-database
config system dns-database
edit "test1.test.com"
set status enable
set domain "test1.test.com"
set type primary
set view shadow-ztna
set ttl 86400
set authoritative enable
unset forwarder
set source-ip 0.0.0.0
config dns-entry
edit 1
set status enable
set type A
set ttl 86400
set hostname "test1.test.com"
set ip 172.18.82.66
next
end
unset allow-transfer
set primary-name "test1.test.com"
set contact "fgt-ztna"
next
Please confirm the access-proxy and VIP configuration for the ZTNA server. And make sure to enable below setting
add-vhost/domain-to-dnsdb
Regards
Priyanka
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
