FortiGates are fantastic IEDs (Integrated Edge Devices) that are often used as VPN concentrators for remote workers. Their SSL VPN is simple enough to setup but there is a misunderstanding around DNS that I have encountered a few times now.
The problem occurs when an administrator has configured the FortiGate to use internal DNS severs such as Active Directory controllers and those DNS servers have more than one zone. The symptoms are that machines connected via VPN can only resolve names from records in the primary zone.
Specifically, this happens when the VPN portal is configured to use split DNS. In most firmware versions, split DNS is enabled by default when split tunneling is selected. Administrators often enter the FQDN for the local directory and the IP addresses of the domain controllers, because this is how most DNS clients work.
It isn’t how split DNS on a FortiGate works. To resolve names in zones other than the active directory domain, you will need to manually enter each additional zone’s domain name. Don’t take my word for it, here is the KB post Technical Tip: Split DNS support for SSL VPN portals (fortinet.com).