FortiWAN Configurations

Basic domain information

It usually requires to assign a DNS/Host Server Name and the corresponding IP address to a domain when you register it to a domain name registrar. It tells the registrar that the domain is delegated to the specific name server. Let’s assume that a domain example.com is registered to a registrar with specifying “DNS Server Name=ns1.example.com” and “IP address=10.10.10.10”. ns1.example.com is the name server responsible (authoritative) for the domain example.com and its IP is 10.10.10.10. This is what for the TLD authorities to place NS records in the TLD name servers to point to the domain, and so that the recursive name servers can work out who is really in charge of this domain. For non-relay mode Multihoming, the FortiWAN device would be the name server authoritative for this domain. The DNS Server Name (name server) you used to register the domain can be named without restrictions (such as ns1 in the example), but the IP address (10.10.10.10) must be an IP that is deployed on one of the WAN links of the FortiWAN, so that requests for the domain can be finally delivered to FortiWAN’s Multihoming.

The following settings is actually for the SOA record of the domain in Multihoming.

Domain Name Enter the registered domain name, such as example.com.
TTL Set the TTL (Time to Live) for the domain information.
Responsible Mail Enter an administrator’s email for this domain. Note that the @ symbol is not acceptable to Multihoming. You are required to replace the symbol @ of the email address with a dot “.”, such as admin.mail.example.com.
Primary Name Server Enter the hostname of name server authoritative for this domain. Usually, it is the prefix of DNS Server Name that you specified for registering the domain, such as ns1 for ns1.example.com. Dot characters within a hostname is acceptable, such as abc.ns1 for abc.ns1.example.com or abc.d.ns1 for abc.d.ns1.example.com. The domain name specified above is appended automatically to this hostname in Multihoming system backend. A hostname ends with a dot character, such as ns1. is not acceptable.

Note that after applying the configurations, this primary name server and the corresponding IP addresses (set in the following fields) for the domain will be automatically added to the NS and A/AAAA records.

IPv4 Address The IPv4 address that you specified for registering the domain, such as 10.10.10.10 in the above example.
IPv6 Address The IPv6 address that you specified for registering the domain if it is necessary.
DNSSEC

As the previous descriptions, Multihoming supposes the DNSSEC to protect the DNS resource records in the domain. To enable it, the followings are the settings need to get configured.

Enable Check to enable DNSSEC.
Private Key Click the [+] button to generate DNSSEC private key used to sign the domain. This private key information will be listed. DNSKEY record and RRSIG record set for this domain are generated while applying the domain configuration. (For multiple keys, use the [+] key)
Signing States for the key, Active or Standby for options. Keys in the active state are those that are in use. Keys in standby state are not introduced into the zone.
Algorithm Only RSASHA512 is supported. This field is visible only for Administrator permission.
Key Size Only 2048 bits is supported. This field is visible only for Administrator permission.
Key Tag Key ID.
Hash Hash of the public key. Send the hash value to parent zone to generate a DS record.
Modulus Public modulus for the keypair. This field is visible only for Administrator permission.
PublicExponent Exponent for the public key. This field is visible for only Administrator permission.
PrivateExponent Exponent for the private key. This field is visible for only Administrator permission.
Prime1 Prime number 1 for the keypair. This field is visible for only Administrator permission.
Prime2 Prime number 2 for the keypair. This field is visible for only Administrator permission.

Notice:

  1. You can generate multiple key pairs in batches from the configuration panel. Generally one key pair is in Active state for using while the other key pairs are in Standby state for manually key rollover at the appropriate time as determined by your key management policy.
  2. In case of replacement keys, it is strongly suggested to keep both new and old keys in Active state for at least one TTL value. When the caching of records using the old keys in external name servers has expired, the old keys can be deleted.
  3. Before deleting DNSSEC keys from your domain, you have to delete the corresponded DS record from the parent zone. Be careful that any mistake in the process of key replacement or delete might cause DNS queries to your domain failure.
This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.