Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate VPN Integration

    Home FortiNAC-F 7.2.0 FortiGate VPN Integration
    7.2.0
    7.6.0
    7.4.0
    7.2.0

    DNS File Entry Descriptions

    DNS File Entry Descriptions

    /var/named/chroot/etc/domain.zone.vpn is used for managing DNS SRV records for agent communications over all VPN tunnels. This file is modified when the eth1 VPN isolation interface is configured/modified using Configuration Wizard. There is a domain.zone.* file for each FortiNAC Service interface (Isolation, Registration, Remediation, etc). For more details, see DNS Server Configuration in the Administration Guide.


    > cat /var/named/chroot/etc/domain.zone.vpn

    <…>

    $ORIGIN example.com. b._dns-sd._udp PTR @lb._dns-sd._udp PTR @_networksentry._tcp PTR AgentConfig._networksentry._tcp;Insert agent line here; Needs to be here for BN_OTHER_HOSTNAMEAgentConfig._networksentry._tcp SRV 0 0 443 servername.domainname.com. << Mobile Agent SRV response* TXT path=/vpn/agent/config_networksentry._tcp SRV 0 0 443 servername.domainname.com. << Dissolvable Agent SRV response* TXT path=/vpn/agent/config_bradfordagent._udp SRV 0 0 4567 servername.domainname.com. << Persistent Agent SRV response*_bradfordagent._tcp SRV 0 0 4568 servername.domainname.com. << Persistent Agent SRV response**.example.com. IN A 172.16.99.6 ;*.example.com. IN AAAA BN_VPN_6IP

    *Portal SSL Fully-Qualified Host Name configured in the UI under System > Settings > Security > Portal SSL

    Example using Dissolvable Agent:

    1. VPN isolation interface is configured and DHCP scope created with domain example.com.

    2. Configuration Wizard writes example.com to the $ORIGIN entry in domain.zone.vpn file

    3. Endpoint connects to VPN tunnel and obtains DHCP information from VPN SERVER

    4. Dissolvable Agent is downloaded from the Captive Portal and run

    5. Agent sends SRV query for _networksentry._tcp.example.com

    6. Upon receipt of query, FortiNAC searches the domain.zone.* files for a matching domain in the $ORIGIN entry

    7. Since domain example.com matches the entry in domain.zone.vpn, FortiNAC responds to the query with the priority (0 0), port (443) and server name (servername.domainname.com) as specified in the _networksentry._tcp entry

    8. Dissolvable Agent performs certificate check comparing servername.domainname.com to the Portal SSL Certificate securing servername.domainname.com

    Previous
    Next

    DNS File Entry Descriptions

    DNS File Entry Descriptions

    /var/named/chroot/etc/domain.zone.vpn is used for managing DNS SRV records for agent communications over all VPN tunnels. This file is modified when the eth1 VPN isolation interface is configured/modified using Configuration Wizard. There is a domain.zone.* file for each FortiNAC Service interface (Isolation, Registration, Remediation, etc). For more details, see DNS Server Configuration in the Administration Guide.


    > cat /var/named/chroot/etc/domain.zone.vpn

    <…>

    $ORIGIN example.com. b._dns-sd._udp PTR @lb._dns-sd._udp PTR @_networksentry._tcp PTR AgentConfig._networksentry._tcp;Insert agent line here; Needs to be here for BN_OTHER_HOSTNAMEAgentConfig._networksentry._tcp SRV 0 0 443 servername.domainname.com. << Mobile Agent SRV response* TXT path=/vpn/agent/config_networksentry._tcp SRV 0 0 443 servername.domainname.com. << Dissolvable Agent SRV response* TXT path=/vpn/agent/config_bradfordagent._udp SRV 0 0 4567 servername.domainname.com. << Persistent Agent SRV response*_bradfordagent._tcp SRV 0 0 4568 servername.domainname.com. << Persistent Agent SRV response**.example.com. IN A 172.16.99.6 ;*.example.com. IN AAAA BN_VPN_6IP

    *Portal SSL Fully-Qualified Host Name configured in the UI under System > Settings > Security > Portal SSL

    Example using Dissolvable Agent:

    1. VPN isolation interface is configured and DHCP scope created with domain example.com.

    2. Configuration Wizard writes example.com to the $ORIGIN entry in domain.zone.vpn file

    3. Endpoint connects to VPN tunnel and obtains DHCP information from VPN SERVER

    4. Dissolvable Agent is downloaded from the Captive Portal and run

    5. Agent sends SRV query for _networksentry._tcp.example.com

    6. Upon receipt of query, FortiNAC searches the domain.zone.* files for a matching domain in the $ORIGIN entry

    7. Since domain example.com matches the entry in domain.zone.vpn, FortiNAC responds to the query with the priority (0 0), port (443) and server name (servername.domainname.com) as specified in the _networksentry._tcp entry

    8. Dissolvable Agent performs certificate check comparing servername.domainname.com to the Portal SSL Certificate securing servername.domainname.com

    Previous
    Next