FortiGate as Slave DNS with Windows DNS Master

It is possible to setup your FortiGate device so that requests towards specific domains are forwarded to a Windows DNS server. Below are the steps needed to get this working.

On the Windows Master DNS Server

  • Open DNS Manager and open the zone needed
  • Find the Start of Authority (SOA) record
  • Properties > Zone Transfers
  • Allow Zone Transfers > To Any Server (you can also specify the server)
  • Open ‘Notify’ and add in the Slave DNS IP address (the IP your FortiGate will be seen as to the Master DNS)

On the FortiGate Slave

  • Enable the DNS Database feature (System > Config > Features)
  • Go to System > Network > DNS Servers and Create a new DNS Database.
    • Type: Slave
    • View: Shadow
    • DNS Zone: <dns_zone>
    • Domain Name: <dns_zone.local>
    • IP of Master:
    • Authoritative: Enable/Disable

You will then to add an SRV record, as well as identify the source IP address if your Master DNS is over VPN;

  • Connect to FortiGate CLI
  • Add SRV record
config system dns-database
edit "<dns_zone>"
set forwarder "<IP of Master DNS>"
next
end
  • Specify source IP
config system dns-database
edit "<dns_zone>"
set source-ip "<IP of FortiGate>"
next
end
 

Add the DNS service to the Interface

  • Go to System > Network > DNS Servers and Create a new DNS Service.
  • Interface: <Interface users will connect to>
  • Mode: Recursive

Testing

You can test the new DNS service works by running a ping through your FortiGate CLI

execute ping-options source <interface IP address>
execute ping <FQDN of a server in the new DNS zone>

Potential Issues

The interface your users connect to may be set to use the “Same as System DNS”. If you use external DNS servers this means your users will not benefit from the changes we have just made.

To fix this change the interface settings to be “Same as Interface IP”, this now means users will get the Interface IP as their DNS server, and will benefit from all DNS Database changes we make on the FortiGate

FortiGate – Change Switch Mode

Out of the box, your FortiGate device will most likely be in Switch mode, this groups the internal interfaces in to a single switch. To change to Interface mode, follow the below steps.

Interface mode allows you to control all of the interfaces separately. To change modes make sure none of the interfaces (lan/internal) are referenced

 

Enter Interface Mode

config system global
set internal-switch-mode interface
end

Enter Switch Mode:

config system global
set internal-switch-mode switch
end

 

FortiGate Reports Menu Missing

You might come across an instance where your Reports menu is missing from within the FortiGate GUI. I noticed this today when I went to disable local report emails and wasn’t able to!

We use FortiAnalyzer for our reports, so when transferring to this we disabled Local Disk logging, this in turn removed the reports menu.

It is a quick fix to get the menu back;

  • Connect to your FortiGate GUI
  • Log & Report > Log Config > Log Settings
  • Enable Disk logging
  • Enable Local Reports
    • If you are using FortiAnalyzer you may get an error message about Fortinet recommendations, you can ignore this for the moment
  • Log out and then Log back in, you will now see the menu
  • Log & Report > Log Config > Report

In my case we disabled “Email Generated Reports” and then disabled Local Reports and Disk logging. By disabling Local Reports you clear the FortiAnalyzer message you might have come across earlier.

IPsec VPN with Public IP Subnet’s on a FortiGate

I recently came across a requirement where I had to create a site-to-site IPsec VPN, this is usually not an issue, set your Phase 1 and Phase 2 settings, apply your policies and you are good to go, but the difference this time was those local and remote subnets were Public IP addresses.
The Public IP address our side was also being used as a VIP

Below I will document the steps in getting this working – the issue I had was where I put my policies, and not enabling NAT on the outgoing policy!

Create your IPsec tunnel;

FortiGate GUI > VPN > IPsec > Tunnels > Create New

  • Set your name and chose your template. I used “Custom VPN Tunnel (No Template)”
  • Fill in your Phase1 settings
  • Fill in your Phase2 settings;
    • Local Subnet – this will be your Public IP/Range
    • Remote Subnet – this will be their Public IP/Range
  • Press OK to create the tunnel

Add in your new route;

FortiGate GUI > Router > Static Routes > Create New

  • Destination IP/Mask – this will be the Remote Subnet you entered for your Phase2
  • Device – this will be the tunnel you have just created
  • Change any of the other settings if you need to
  • OK to add the new route

Create an IP Pool;

FortiGate GUI > Policy & Objects > Objects > IP Pools > Create New

  • Add a name and comments if required, and set the type (I am using Overload)
  • External IP Range = the range you set for Local Subnet
  • Ok to create the IP Pool

Create your policies;

FortiGate GUI > Policy & Objects > Policy > IPv4 > Create New

Outgoing

  • Incoming Interface = The internal interface where your server exists
  • Source Address = An object with the internal IP address of your server
  • Outgoing Interface = The tunnel you just made
  • Destination Address = An object with the remote Public IP range
  • Apply any Schedules and Service restrictions and Action = Accept

You now need to enable NAT, this is the bit I missed at first;

  • NAT = On
  • Use Dynamic IP Pool = Select the pool you made in the previous step
  • Add any other settings and then OK to create your first policy

Incoming

  • Create the second policy for Tunnel to Internal
  • Incoming Interface = The tunnel you just made
  • Source Address = An object with the remote Public IP range
  • Outgoing Interface = The internal interface where your server exists
  • Destination Address = The VIP that belongs to the internal server (same as the IP Pool address)
  • Apply any Schedules and Service restrictions and Action = Accept

On this policy you do not need NAT

  • NAT = Off
  • Add any other settings and then OK to create your first policy

 

Check to see if your Tunnel is Up and try sending some traffic down it
FortiGate GUI > VPN > Monitor > IPsec Monitor

 

Screenshots of the Outgoing and Incoming Policies

FortiGate IPsec Outgoing Policy

FortiGate IPsec Incoming Policy

 

Related Link: Site-to-Site IPSec VPN (Behind Firewall/NAT device)