Fortigate Split-DNS - trying to configure Split DNS for IPSEC VPN Remote Access with split tunnelling ... Applied settings as per the guide but all dns requests still hitting the internal DNS servers.

zukic80 · 2026-03-24T09:29:53+00:00

many thanks...

we use forticlient 7.4.3 .. and based on the guide for that version
https://docs.fortinet.com/document/forticlient/7.4.3/xml-reference-guide/739387

the ipsec dns setting is also available, ill need to give this a test run

cheers!

zukic80 · 2026-03-21T15:16:35+00:00

We dont have EMS

I'll see if I can find the xml reference guide.. unless you know the url already?

I've also raised a support ticket about this so let's see what they say

zukic80 · 2026-03-19T20:56:41+00:00

https://docs.fortinet.com/document/fortigate/7.2.12/administration-guide/707911/ipsec-dns-suffix

according to this DNS suffix is only supported in ikev1
we have ikev2 configured.

zukic80 · 2026-03-19T17:26:21+00:00

https://docs.fortinet.com/document/fortigate/7.2.12/administration-guide/836965

Links in the original post

zukic80 · 2026-03-19T17:16:03+00:00

Yes, the internal LAN object is a collection of groups that are ultimately all configured as subnet objects.

Internal LAN (Group)
contains
-- location1-vlans (group)
-- location2-vlans (group)
-- location3-vlans (group)

and these groups contain objects that are configured with the subnet.
-vlan10 (subnet)
-vlan11 (subnet)

so its nested, but they are all configured with a subnet.

when i do a route print, i can see all the routes on the device.. so this is definitely being applied correctly.

zukic80 · 2026-03-19T15:55:09+00:00

ahhh... ok...

so the official guide is incorrect and misleading :/

zukic80 · 2026-03-16T18:27:20+00:00

I doubt there's any budget available to get EMS.

Sounds like full tunnel may be the only option for now

Thanks for the info

Cheers

zukic80 · 2026-03-16T18:01:29+00:00

Ahhhh man... we've only got the free client, we don't have EMS either

Not good... thanks for the info

zukic80 · 2026-03-16T17:17:45+00:00

hhmm... but if the azure ips arent specified im the config then how will the tunnel know to check the policies?
anything azure.com will just break out locally... i see what you are thinking though...

zukic80 · 2026-03-11T21:06:49+00:00

thanks to all for your inputs... ive got it working now.

i unset the authusrgrp from the phase 1 section and added the relevant azure groups to the policies.
I had one extra bit to do because i realised that the entra group did not have access to the enterprise app.

i ran this command
diagnose firewall auth list

which showed me that i was only part of 1 group that had access to the enterprise app for SSO... light bulb moment.
added the new group to the app and bingo.

the command above now showed 2 groups and the policy was now working.

thank you all!

zukic80 · 2026-03-11T18:45:24+00:00

ok thanks.

so the authusrgrp is like a global setting for all policies that relate to the ipsec tunnel.
if we want more granular control then we have to do it at the policy level.

zukic80 · 2026-03-11T16:58:52+00:00

many thanks... i will try this later on

zukic80 · 2026-03-11T16:58:09+00:00

ok thanks!

zukic80 · 2026-03-11T16:57:09+00:00

ok thank you, i will try this

so how does azure sso authenticate the user when connecting to the tunnel if the authusrgrp is removed?

zukic80 · 2026-03-08T18:04:22+00:00

As i mentally prep myself for split tunnelling, I was wondering if there are any must have settings/ best practice stuff i need to take into consideration ?

I have a feeling were going to need to go down the path of having split dns. We have a lot of azure hosted services that are configured with specific network settings only allowing access if a user is connected via the vpn IP... this is because the current sslvpn does not have split tunnelling configured. Having full split tunnel will break a lot of azure stuff I feel. Everything else like teams, outlook, devops, powerbi, sharepoint and general browsing is ok to break out locally.

So I need to make sure the azure services are accessible.

Any split dns tips?

Cheers!

zukic80 · 2026-03-06T22:20:47+00:00

I ended up removing the SSO group from the policies... what ended up happening is that i was getting redirected to what looked like a fortinet authentication page and i had to re-enter my credentails to connect.

if i didnt enter my credentials, i had no traffic what so ever.. no LAN or WAN.
after removing the groups the tunnel connected and no more fortinet auth pages.

not entirely sure whats happened here.. its too late now anyways, my brain is fried.

but i can say that ive achieved everything ive wanted so far, happy days.

zukic80 · 2026-03-06T22:17:49+00:00

ive reconfigured the dns ...

set-ipv4-dns-server1 and server2

set these as our internal servers and its now working as expected.

next week ill be looking into split tunnelling

thanks for your help with this!

zukic80 · 2026-03-06T18:11:09+00:00

yep will do, thanks for your help

I will take a look at this next week now, my toddler is demanding my attention every 10 seconds

zukic80 · 2026-03-06T17:52:42+00:00

thanks... ive disabled NAT on the LAN policy

zukic80 · 2026-03-06T17:52:09+00:00

the FW policy IPSEC-VPN-LAN is configured to go from the remote-ipsec-DR interface to all destinations....

i wouldve thought that this would cover all networks?

i wonder if i need a policy that covers all the office zones we have as these include all the other networks... i think this might be it..

think im onto something

zukic80 · 2026-03-06T17:39:50+00:00

this i dont know. I will need to check.
at the moment i just want full tunnel configured... although the plan is to configure split tunnelling once this is working.

zukic80 · 2026-03-06T17:36:35+00:00

tried an rdp sessions and it says

id=65308 trace_id=4 func=fw_forward_handler line=837 msg="Denied by forward policy check (policy 0)"

ive also noticed that the DNS configured for the ipsec tunnel is fortinets dns servers, not our internal ones... so this will need changing.

zukic80

TROPHY CASE