Hello!
We recently setup our Fortigate to act as an SSLVPN Client for access to a vendor network. After doing so, we noticed name resolution of FQDNs failing for internal domains. I checked the DNS config via ‘diag test app dnsproxy 2’ and found two addresses listed which are not the same as those found under config system dns. I had a hunch that local-out DNS requests were going to DNS servers provided by the SSL VPN server - and after connecting a Windows endpoint and confirming, we have a case open with Fortinet TAC for resolution/confirmation this is a bug (SSLVPN Client overriding system-level DNS).
Has anyone ever ran into this? I didn’t see anything in the documentation related to DNS under the SSL VPN client config or release notes.
Thanks!
Config VPN SSL Settings
set dns-suffix domain.com
End
Dis what you need. Also have to set the DNS servers you want here as well
You can set dns per portal so might be worth taking a look there.
I appreciate everyones feedback, but it seems aimed towards the SSLVPN Client config - Not the Fortigate acting as SSLVPN Client to another Fortigate. Perhaps I should have been more clear?
We had to manually set default dns suffix to properly route dns traffic. Are you split or full tunnel for sslvpn. It does make a difference.
is this a CLI only setting?
You’re talking about web tunnel mode where they log in and access via webpage assigned resources?
You need to configure DNS service for the sslvpn interface for this then and setup forwarding to your DNS servers with a DNS database entry
Edit:
Might also have to set dns servers in the sslvpn config as well.
I’d like to think I’ve seen the option in the gui, but the article was only cli.
apologies, so it’s an sslvpn tunnel with the 2nd firewall as a client tunnel connection.
People probably don’t run into this issue because they quite likely never setup sslvpn tunnels and only use ipsec tunnels.
Bingo. Our firewall is acting as an SSLVPN client to a vendor acting as the SSLVPN server.
I know the firewalls have an override DNS setting on the interfaces. Can you verify that isn’t configured for the Internet connections on the client gate? I had issues with this when we swapped ISP’s.
Yeah sorry i guess it was a little unclear in the initial explanation, mostly because i just don’t know anyone that uses sslvpn in this scenario.
Just setup an ipsec tunnel instead, limit access to the correct subnets/policies and your issue is solved without running into whatever bug is causing this. As even if it is a bug you still need to solve the problem.
You son of a bitch, it was enabled.
Well hope that fixes it then! It caused us some confusion for a day or so when it happened, so I feel your pain.
Never expected that. Makes sense I suppose with DHCP-based WAN interfaces, but this is set as a DMZ interface. Thanks, Fortinet