Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
0skarprez
New Contributor

block internet access in domain Controller

Hi all, 

 

I hope you can help me, I am kind of new with Fortigate and networks, I was asked to disable internet access in our Domain Controller, so I thought "that is easy", so I configured a Rule to block  internal interface - DC IP address to reach wan1 (internet). and it worked, but the thing now is that all domain computers are not able to access internet neither, any suggestion?

 

best regards

1 Solution
ede_pfau
Esteemed Contributor III

Yes, absolutely. Most of the installations I know use either PPPoE or DHCP to connect to the ISP, so they are assigned a "well known" DNS which they can trust. If you do too, make sure that in the wan interface setup you enable "Override system DNS" to assign the DNS dynamically.

 

In many networks I block DNS from the LAN to WAN, as clients should use the FGT (resp. the DC and the DC uses the FGT as last resort). Misconfigured clients will report quickly to the admin...

 

Quad8 DNS is reported to be collecting a lot of information. If you want to use a public DNS, use quad9 (9.9.9.9 or 9.9.9.10) instead.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
5 REPLIES 5
ede_pfau
Esteemed Contributor III

I bet you have "a.b.c.0/24" as source address in the DENY policy. That will be effective for the whole LAN.

For a single host, use "a.b.c.d/32".

If that doesn't solve it, please post your policy here for review.

 

And of course "it's easy" :)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
lobstercreed

I would guess that the LAN clients didn't truly lose internet but lost DNS because your domain controller is the DNS server for your LAN clients and your block prevents it from doing recursive lookups to whatever DNS servers it is designed to talk to. 

 

Either that or Ede was right and you set up the source address wrong, but I'm giving you benefit of the doubt ;) You can test if I'm right by trying to ping an Internet IP address like 8.8.8.8 from one of the LAN clients, then trying to ping www.google.com

 

If I'm right, the former will work but the latter will break due to inability to resolve it.  If so, you can fix this by adding a policy above your block policy that allows just DNS outbound from the domain controller and that should fix your issue.  Alternatively you can give your LAN clients different DNS servers but that break some internal things so I wouldn't recommend it in an Active Directory environment.

ede_pfau
Esteemed Contributor III

@lobstercreed:

the obvious skipped me, thanks. You're probably right.

 

One hint though:

I would not allow the DC to contact an external DNS. Rather, configure the DC to ask the FGT for external names. Only the FGT knows at least one reliable DNS, namely the provider's DNS. DNS is security relevant, no host on a protected LAN should be able to contact arbitrary DNS in the world.

 

There are numerous posts on the forums how to configure the FGT to offer DNS on it's LAN interface. The DC would be the DNS for the clients, type 'recursive', and escalate requests for foreign hosts to the FGT.

If that is not clear to you, please post again and we'll post it here.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
0skarprez

Thanks all of you for your comments, actually I did what @lobstercreed mentioned, I configured a policy to allow only DNS to the DC server, and it worked.

 

all computers in my domain have the DC IP address as a DNS, and the DC has its own IP address as DNS, and as the secundary 8.8.8.8, then your suggestion is to remove thet 8.8.8.8 and configure the fortigate to offer that service?

 

best regards

ede_pfau
Esteemed Contributor III

Yes, absolutely. Most of the installations I know use either PPPoE or DHCP to connect to the ISP, so they are assigned a "well known" DNS which they can trust. If you do too, make sure that in the wan interface setup you enable "Override system DNS" to assign the DNS dynamically.

 

In many networks I block DNS from the LAN to WAN, as clients should use the FGT (resp. the DC and the DC uses the FGT as last resort). Misconfigured clients will report quickly to the admin...

 

Quad8 DNS is reported to be collecting a lot of information. If you want to use a public DNS, use quad9 (9.9.9.9 or 9.9.9.10) instead.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors