FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vprabhu_FTNT
Staff
Staff
Article Id 189779
Description
This article explains how to delete the configuration item that is causing issues with normal operation of the device.
In this case, it concerns FortiGate sending DNS traffic every second.

Solution
Issue Observed:
FortiGate (
firmware version 5.6, 6.0, 6.2) shows System -> Network -> DNS as timeout value high and constantly sends the dns traffic for the fqdn present in default configuration though not used/referenced anywhere.

FQDN object softwareupdate.vmware.com and others are being queried from FortiGate internal process every second and is overwhelming dns. This can be verified from sniffer 'diag sniff packet any 'port 53' 6 0 l'
Deleting these default fqdn objects is not being allowed from FortiGate .
Normally, it is not possible to delete the unwanted fqdn objects though it shows unreferenced under the options 'config firewall wildcard-fqdn custom' and is in default configuration.
Workaround is to delete the unwanted config items from backup of config and upload as detailed below:

1) Backup the configuration of the FortiGate unit from current firmware:
Go to: (Top Right) Admin -> Configuration -> Backup
Save to a location on computer drive.

2) Edit the saved configuration and delete the 'softwareupdate.vmware.com' doing a search all occurrences of it.
Delete it from the profiles as below:

Find the configuration line :
# config firewall ssl-ssh-profile
Look for
#     deep-inspection
Delete references of 'softwareupdate.vmware.com'

Look under location:
# config firewall wildcard-fqdn custom          <----- enter this search text

Then delete all the FDQNs that are not used for the configuration.

3) Save the text configuration as a backup.

4) Upload this backup configuration to the FortiGate unit by going to:
Admin -> Configuration -> Restore -> Upload
Select the modified config file
Click 'OK' to upload

Run the sniffer capture again and it should not send queries for deleted objects.

Note: This is to be used with caution on case to case basis.



Contributors