Tag Archives: FortiGate Firewall

FortiGate Next Generation Firewall leverages dedicated security processors and threat intelligence security services from FortiGuard.

Using FortiGate as a DNS Server

How to use a FortiGate as a recursive DNS server

This tutorial describes how to create an unauthoritative primary DNS server using for the local network. The interface mode is recursive so that, if the request cannot be fulfilled, the external DNS forwarders will be queried.

Note. FortiGate as a DNS server also supports TLS and HTTPS connections to a DNS client.

To enable DNS server options in the GUI

  • Go to System > Feature Visibility.
  • Enable DNS Database in the Additional Features section.
  • Click Apply.

To configure FortiGate as a primary DNS server

  • Go to Network > DNS Servers.
  • In the DNS Database table, click Create New.
  • Set Type to Primary.
  • Set View to Shadow.
    If Shadow is selected, only internal users can use it.
  • Enter a DNS Zone.
  • Enter the Domain Name of the zone.
  • Enter the Hostname of the DNS server.
  • Enter the Contact Email Address for the administrator.
  • Disable Authoritative.

Create new DNS entries

  • In the DNS Entries table, click Create New.
  • Choose Type Address (A).
  • Enter the Hostname.
  • Enter the IP Address.
  • Set TTL to Use Zone TTL
  • Enable Status
  • Click OK.

Enable DNS services on an interface

  • In the DNS Service on Interface table, click Create New.
  • Select the Interface for the DNS server, such as LAN.
  • Set the Mode to Recursive.
  • Click OK.

Disable FortiGate SSL Inspection

FortiGate SSL/TLS inspection is the process of intercepting SSL/TLS encrypted Internet communication between the client and the server. Interception can be performed between the sender and the receiver and vice versa (receiver to sender) – it is the same technique used in man-in-the-middle (MiTM) attacks without the consent of both entities.

SSL/TLS Deep Inspection in Practice

When Deep Inspection is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.

In practice, this sometimes leads to unwanted blocking, especially when using self-signed SSL certificates, and the FortiGate behaves like a black box. It is also often found that the connection to the Exchange Server is denied for Outlook clients, with Outlook issuing the following error.

There is a problem with the proxy server’s security certificate.
The name on the security certificate is invalid or does not match the name mail.example.org.
Outlook cannot connect to the proxy server. (Error code 8000000).

To disable the FortiGate SSL Inspection completely, you can create a clone for the Read-only Profile no-inspection under Security Profiles – SSL/SSH Inspection and configure it accordingly.

Under Protocol Port Mapping, an unused port is entered for HTTPS, which means that SSL/TLS Deep Inspection no longer takes place for port 443. Enable the configured custom-no-inspection profile for the corresponding policy. For policies for internal and VPN connections, SSL/TLS deep inspection should not be required.