Trying to setup a VPN link from a cloud based T20 to a Fortinet Cloud firewall.
We can get the tunnel established and traffic is flowing fine, however we’re having issues trying to get DNS working across the link.
If we set a static DNS server on a client, then it works fine, but for whatever reason we can’t get it to work using the firebox as the DNS server.
Have run through the hoops with Watchguard Support who have checked the Watchguard side config and the setup of the BOVPN including the virtual IP helpers. They’ve run various packet captures and can verify DNS traffic is going across the link as it should, but is then not getting returned correctly from the Fortinet side.
Understandably they won’t touch the Fortinet side of things - but instead refer to a setup guide which apparently doesn’t match on the Fortinet side. To make things more complex our Fortinet system is managed by an external vendor. They’ve also reached out to their own Fortinet support on their side, but aren’t getting much traction either.
So has anyone successfully linked these two devices together, and gotten DNS working across the tunnel? If so what specifically was required on the Fortinet side to get this happening?
Have you tried using the WSM instead of the Cloud? I’ve made plenty of Fireboxes work with Fortigate devices, but I must admit, never with the Cloud.
Cloud managed WatchGaurds are terrible, and most likely your issue. It seems like they are missing a lot of features.
I build site to site tunnels all the time between WatchGuard and FortiGate devices but always with local managed WatchGuards
On the Fortinet side, are your phase 2 selectors 0.0.0.0/0 or do you match the subjects of the WatchGuard? If you are doing BOVPN on the WG you will need to use the WatchGuard phase 2 selectors but reversed, and if you are doing BOVPN Virtual Interface you will need to use 0.0.0.0/0
I’ve also seen where the WG will NAT traffic as it’s external interface for traffic sourced as the WatchGuard on the tunnel and you will need to enable the setting to allow you to create policies for Firebox originates traffic, and then create a policy for traffic from Firebox to the remote IP address and the NAT that traffic as the IP of the WG.
Have the same issue with WG to Forti. The exact same even with the Forti being managed by a 3rd party msp. Are you saying the virtual IPs haven’t helped? We haven’t tried that yet but did have the same scenario Wg to Wg recently (cloud managed to locally managed Watchguards) and the virtual IP did fix that one.
I have not - though i did think about it. The weird BOVPN setup with the IP helpers etc seems to be specifically a cloud based thing.
WG Support seemed to indicate that it should work just fine though with the correct config on the Fortinet side, but they just couldn’t advise what exactly would be required config wise.
For us though - the cloud management and visibility into the device is quite important as lots of these devices are located at small sites with no onsite support.
In theory, I agree, it should work. However, I’ve had issues with the new BOVPN Virtual Interfaces not NATing the DNS traffic if it wasn’t configured perfectly and I assume that’s what the Cloud configuration is doing.
It does sound like it would be an issue on the Fortigat3 side though.
I manage almost 400 devices, none of which are Cloud configured, just Cloud reporting. Lock down the WSM policy to just your public IP and you should be fine for remote managing.