We have a small problem. Our Fortigate 60E firewalls are handling our SSLVPN service. It appears they hand out IP addresses sequentially. Host 1 gets .1, host 2 gets .2 host 1 disconnects, host 3 gets .1
When this happens, host 1 registers .1 with dns, and in this scenario host 3 does too.
Our problem is that sometimes a single host will connect say 3 times in 3 hours, and end up with 3 different DNS entries.
I would think that the NIC would update with a new IP each time it contacts DNS, and keep it at one entry per host name. This is causing trouble for SCCM which is trying to delivery patches to these machines when they connect to VPN.
Anyone seen this before?
Can anyone reply to this?
I have the exact same problem. You can mess with DNS TTL and aging/scavenging but that would involve fully segregating the VPN users into new DNS forward and reverse zones. You may also want to look at using a DHCP relay on the VPN interface.
See https://cookbook.fortinet.com/ipsec-vpn-external-dhcp-service/ It's for 5.2 but the concepts still exist in newer versions. I see this in my future when i have time.
A full dhcp server would be smart enough to assign the same address to the same MAC address no matter how often they connect/disconnect.
CISSP, NSE4
Thanks for the info and confirmation!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.