How to Configure Global DNS Server Address Groups in FortiADC
Description: The config global-dns-server address-group command in FortiADC allows you to configure source and destination IP addresses as matching criteria for DNS policies. The system comes with predefined address groups named any and none.
Before you start, ensure you have read-write permission for global load balancing settings. Once you have configured an address group, you can specify it in the DNS64 and DNS policy configurations.
Syntax
config global-dns-server address-group
edit <name>
config member
edit <No.>
set action {include|exclude}
set addr-type {ipv4|ipv6}
set ip-network <ip&netmask>
set ip6-network <ip&netmask>
next
end
next
end
Parameters
action: Specify whether to include or exclude addresses matching the specified address block.
addr-type: Defines the address type as either ipv4 or ipv6.
ip-network: Use address/mask notation (e.g., 192.0.2.0/24) to match the IP address in the packet header. Create objects to match source and destination IPv4 addresses separately.
ip6-network: Similar to ip-network, but for IPv6 addresses.
Example Configuration
Below is a step-by-step example to help you configure a global DNS server address group named campus and branch.
Step 1: Configure 'campus' Address Group
FortiADC-VM # config global-dns-server address-group
FortiADC-VM (address-group) # edit campus
Add new entry 'campus' for node 2206
FortiADC-VM (campus) # config member
FortiADC-VM (member) # edit 1
Add new entry '1' for node 2209
FortiADC-VM (1) # get
action : include
addr-type : ipv4
ip-network : 0.0.0.0/0
FortiADC-VM (1) # set ip-network 192.0.2.0/24
FortiADC-VM (1) # end
FortiADC-VM (campus) # end
FortiADC-VM #
Step 2: Configure 'branch' Address Group
FortiADC-VM # config global-dns-server address-group
FortiADC-VM (address-group) # edit branch
Add new entry 'branch' for node 2206
FortiADC-VM (branch) # config member
FortiADC-VM (member) # edit 1
Add new entry '1' for node 2209
FortiADC-VM (1) # set ip-network 198.51.100.0/24
FortiADC-VM (1) # end
FortiADC-VM (branch) # end
FortiADC-VM #
Step 3: Verify the Configuration
FortiADC-VM # show global-dns-server address-group
config global-dns-server address-group
edit "campus"
config member
edit 1
set ip-network 192.0.2.0/24
next
end
next
edit "branch"
config member
edit 1
set ip-network 198.51.100.0/24
next
end
next
end
Conclusion
By following these steps, you can successfully configure global DNS server address groups in FortiADC. This configuration helps define the matching criteria for DNS policies, contributing to more precise control over your network traffic. Make sure to double-check your read-write permissions and the syntax used to avoid any configuration errors.
For more detailed information, please refer to the official FortiADC CLI Reference Guide.