Staff

Technical Tip: FQDN based firewall policies are not working intermittently

Forum|Forum|4 years ago
June 30, 2021
0 replies
68271 views

Description

This article describes FQDN address objects that are used in firewall policies that are not working intermittently.

Scope

FortiGate.

Solution

When an FQDN-based destination address object in firewall policies is used, whenever incoming traffic comes from LAN to WAN, it should hit the configured firewall policy with the FQDN destination object, if all the other required fields match the firewall policy.

If the traffic is not hitting the expected FQDN-based firewall policy, follow the steps below:

Check if the FortiGate can resolve the domain:

It is also possible to verify the DNS cache using the following commands on FortiGate:

diagnose firewall fqdn list

For v7.0 and later:

diagnose firewall fqdn list-all

Note:

The above commands were replaced in newer versions of firmware as follows:

diagnose firewall fqdn list ?

list-ip List IP FQDN.

list-mac List MAC FQDN.

list-all List FQDN.

diagnose test application dnsproxy

For v7.0 and later:

diagnose firewall fqdn ?
list-ip        List IP FQDN.
list-mac       List MAC FQDN.
list-all       List FQDN.
getinfo-ip     Get info of IP FQDN address
getinfo-mac    Get info of MAC FQDN address
get-ip         Get and display one IP FQDN address.
get-mac        Get and display one MAC FQDN address.

Use the dnsproxy command to dump DNS:

diagnose test application dnsproxy 6

Example output:

vfid=0 name=login.windows.net ver=IPv4 wait_list=0 timer=17 min_ttl=20 cache_ttl=0 slot=-1 num=26 wildcard=0
         20.190.160.131 (ttl=245:0:0) 20.190.160.5 (ttl=245:0:0) 40.126.32.140 (ttl=245:0:0) 20.190.160.128 (ttl=245:0:0) 20.190.160.65 (ttl=245:0:0)
vfid=3 name=login.windows.net ver=IPv4 wait_list=0 timer=17 min_ttl=20 cache_ttl=0 slot=-1 num=26 wildcard=0
         20.190.160.131 (ttl=245:0:0) 20.190.160.5 (ttl=245:0:0) 40.126.32.140 (ttl=245:0:0) 20.190.160.128 (ttl=245:0:0) 20.190.160.65 (ttl=245:0:0)
         20.190.160.3 (ttl=245:0:0) 40.126.32.138 (ttl=196:0:0) 20.190.160.20 (ttl=196:0:0) 20.190.160.132 (ttl=196:0:0) 20.190.160.17 (ttl=196:0:0) 20.190.160.4 (ttl=196:0:0)
vfid=0 name=login.microsoft.com ver=IPv4 wait_list=0 timer=49 min_ttl=0 cache_ttl=0 slot=-1 num=26 wildcard=0
         40.126.32.68 (ttl=282:0:0) 20.190.160.4 (ttl=282:0:0) 20.190.160.17 (ttl=282:0:0) 20.190.160.20 (ttl=282:0:0) 40.126.31.67 (ttl=272:40:40)
         40.126.31.1 (ttl=272:40:40) 20.190.159.128 (ttl=272:40:40) 20.190.159.64 (ttl=272:40:40) 40.126.31.69 (ttl=272:40:40) 40.126.31.71 (ttl=272:40:40) 20.190.159.130 (ttl=272:40:40)

If FortiGate can resolve to an IP address, make sure the DNS settings on FortiGate and the client machine are the same.

If the DNS settings configured on FortiGate and the client machine are different, configure the FortiGate or client machine to use the same DNS server and flush the client DNS cache using 'ipconfig /flushdns' and check if that resolves the issue.
If the issue persists after configuring the same DNS server settings on both FortiGate and client machines and if the destination FQDN resolves to a different IP very frequently, try with a wildcard FQDN object instead of the full FQDN.
Sometimes, the default TTL (time-to-live) value of the FQDN is very small, so IP resolution on the endpoint and FortiGate may be different at times, even when using the same DNS Servers. It is good to increase the cache-ttl value for that FQDN on the FortiGate.

config firewall address

edit "example.com”

set type fqdn

set fqdn "example.com"

set cache-ttl 86400 <----- 0 - 86400 in seconds, where 0 means default.

If the firewall fqdn address cache-ttl is set to 0 (default), the cache information will be ignored, and the global dns-cache-ttl (default = 1800s) will be used.

About wildcard FQDNs:

Support for wildcard FQDN addresses in firewall policy has been included in v6.2.2.
When the wildcard FQDN has been configured, it will show as an unresolved FQDN in the firewall address list.
As compared to the standard FQDNs, the wildcard FQDN does not use system DNS settings under Network -> DNS.
The wildcard FQDN is updated when a DNS query is made from a host connected to FortiGate (DNS traffic passing through a FortiGate).
If the query matches the wildcard FQDN, the IP address is added to the cache for that object on the FortiGate. Make sure that the DNS traffic is passing through the FortiGate.
DNS traffic using the DNS-over-HTTPS protocol is not supported.
From v7.0, FortiGate supports DNS-over-TLS provided that there is a firewall policy that allows DNS traffic and is configured with DNS Filter and Deep Packet Inspection.
Note that the DNS-UDP session helper is configured by default. If an administrator removes the DNS-UDP session helper, wildcard FQDNs will not be resolved when devices behind FortiGate attempt DNS queries.

config system session-helper
...
edit 14
set name dns-udp
set protocol 17
set port 53
next
end

Technical issues:

In some rare cases technical issues could prevent the proper usage of FQDNs in policies.

There were for example reports of proxy policy mismatches on FortiProxy version 7.2.13 and 7.4.9.

The problem was observed after pushing new FQDNs to the configuration via automation scripts.

The new FQDNs were properly resolved by the system (as seen with the commands 'diagnose firewall fqdn list-ip' and 'diagnose test app dnsproxy 6') but was not loaded into the wad process (as seen with the command 'diagnose test app wad 106').

The workaround in such a case is to restart the wad process with command

diagnose test application wad 99

To debug the issue, share the output of the following commands with Technical Support.

fnsysctl date
diagnose firewall fqdn list-ip
diagnose test app dnsproxy 6
diagnose test app dnsproxy 7
diagnose debug enable
diagnose test app wad 2200
diagnose test app wad 106
diagnose wad stats worker

Related documents:

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded