Fortigate SSL VPN – Portal DNS

I have been working with Fortigate for a long time now, one thing that bugged the life out of me (and most clients I work with) is that Fortigate’s SSL VPN feature would not allow you to specify certain settings per portal or group. For example DNS servers and Domain suffixes. Most firewall/router vendors have been able to do this for years and with no problem.

Starting in firmware 5.2.2 you can now specify individual DNS servers per portal! That’s right, if I have two different domains using the SSL VPN and I specify individual user groups and portals, now I can give each side their own specific DNS servers.

The DNS setting per portal is CLI only as of firmware 5.5.5 – I see this changing in future firmwares (Still has not changed in 5.4.1 either) .  The modification is under the VPN – SSL  – Web portal options. You can also specify individual WINS servers. This entry is written for someone who already has the SSL VPN up and working. Something to note is that these portal settings override the global DNS settings configured under VPN – SSL – Settings

edit “Sales-Portal”
set tunnel-mode enable
set ip-pools “VPN-Pool”
set split-tunneling-routing-address “SSL-VPN-ROUTES”
set dns-server1 10.60.134.5  — DNS Server 1 , Overrides global config
set dns-server2 10.60.134.6 — DNS Server 2 , Overrides global config
next

And there we have it! We then can of course associate the portal with a certain group of users, so for example Domain 1 get Domain 1’s server and same for Domain 2.

 

 

Advertisements

2 responses to “Fortigate SSL VPN – Portal DNS

  1. Pavel August 19, 2016 at 1:07 pm

    Very useful! Is there an option for dns suffix per portal? I can’t find such.

    • cjcott01 August 20, 2016 at 12:00 pm

      Hello! Thanks for the comment.
      As of 5.4.0 there is still not an option to specify a different DNS Suffix per portal – I will check 5.4.1. But you can specify multiple prefixes in the global SSL settings and it will use all of them. SO if a user is in either one of the domains specified, it will attempt a resolve in both. for example:
      config vpn ssl settins
      set dns-suffix “google.com fortinet.com home.local”

      it would rotate through all of those.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: