Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
herzogk
Staff
Staff

Created on ‎04-22-2020 08:48 AM Edited on ‎08-02-2023 11:12 PM By Moderator

Article Id 197598

Technical Tip: Prevent FortiGate DNS being overwritten by mobile provider DNS from FortiExtender connection

Description

 

This article describes the situation when utilizing a FortiExtender interface for SD-WAN and the mobile ISP DNS is overriding the FortiGate system DNS.

This can be a problem as often DNS servers provided by the mobile carrier only allow connections for carrier clients.
In this case, DNS traffic across all other SD-WAN member interfaces will fail.

This behavior is caused by the ‘set dns-server-override‘ being enabled by default on interface settings and the fact that often a mobile ISP provides services via DHCP.

Solution

 

To correct it, disable this setting under the FortiExtender virtual interface on the FortiGate.
 
Disabling this prevents the interface from using a DNS server acquired via DHCP or PPPoE.

 

config system interface
    edit <name of your FortiExtender interface>
        set dns-server-override disable
end

 

oid.png

6712
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.