Pushing DNS Suffix to Fortigate SSL VPN

After setting up a SSL VPN tunnel, one of the biggest complaints I get is “I cannot get to my shares”. This is because the Domain suffix has not been pushed out to their tunnel interface. This is easy to remedy, but seems to be in CLI only.

Within cli you have many options under the ssl vpn config that are not presented in the GUI.

You can edit the VPN tunnel with the command:

config vpn ssl settings

Here are a list of all the settings:


as you can see, the dns-suffix is an option, as well as DNS servers.

The Suffix option is not presented in the GUI, but the dns servers are.

The command to set the suffix is:

set dns-suffix corp.local


Make sure your DNS servers are also set for your internal network and it should now work without a problem.

3 responses to “Pushing DNS Suffix to Fortigate SSL VPN

  1. manfred January 28, 2015 at 8:00 pm

    Hi, thank you for sharing this information. I did that as described, a “get” shows that the suffix wad set correctly. unfortunately, my windows 7 client does not receive the suffix. Still appears empty. Any ideas?
    Best regards, Manfred

    • cjcott01 January 28, 2015 at 9:27 pm

      Hi Manfred, make sure your local firewall has the correct dns domain set under – sys – int – dns

      • manfred January 28, 2015 at 10:41 pm

        It has. But, when I do “ipconfig /all”, after connecting via the fortinet vpn client, no dns suffix is set on the connection. It is still blank. Entering the suffix manually in the Windows settings of the connection works fine, but pushing it through the fortigate fe itself does not seem to show any effect.

Leave a Reply