Fix A Common FortiGate VPN DNS Issue

FortiGates are fantastic IEDs (Integrated Edge Devices) that are often used as VPN concentrators for remote workers. Their SSL VPN is simple enough to setup but there is a misunderstanding around DNS that I have encountered a few times now.

The problem occurs when an administrator has configured the FortiGate to use internal DNS severs such as Active Directory controllers and those DNS servers have more than one zone. The symptoms are that machines connected via VPN can only resolve names from records in the primary zone.

Specifically, this happens when the VPN portal is configured to use split DNS. In most firmware versions, split DNS is enabled by default when split tunneling is selected. Administrators often enter the FQDN for the local directory and the IP addresses of the domain controllers, because this is how most DNS clients work.

It isn’t how split DNS on a FortiGate works. To resolve names in zones other than the active directory domain, you will need to manually enter each additional zone’s domain name. Don’t take my word for it, here is the KB post Technical Tip: Split DNS support for SSL VPN portals (fortinet.com).

About Kevin Trent

IT professional with almost 30 years of experience in Infrastructure, Architecting, Administration, Development, and Communications.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s