Skip to main content
bhpark
bhpark
New Member
November 11, 2021
Question

Blocking method when using FQDN filtering.

  • November 11, 2021
  • 1 reply
  • 3481 views

Hi,

 

Does anyone know how FortiGate works if it is blocked using FQDN filtering?

For example, VMware NSX-T Firewall works by blocking Destination IP through DNS Snooping.

 

Even if I look for related documents, I can't find an explanation of how to block them, so I ask for help like this.

 

Thanks,

    1 reply

    emnoc
    emnoc
    New Member
    November 11, 2021

    Not quite understanding the solution that you have but you have the following that is going to use dns.

     

    The firewall ipv4 and ipv6 objects that can be enable as type FQDN and DNS filtering

     

    With the former the fortigate looks up any object , caches the address that is matched to the FQDN rescoures type A , and if traffic matches that ip.address is permitted or deny based on the rule in your fortigate.

     

    e.g 

    config firewall policy

        edit 10

            set uuid 25bb47b4-17d7-51ec-af61-6b8089529356

            set srcintf "internal"

            set dstintf "wan1"

            set srcaddr "all"

            set dstaddr "www.example.com"

            set schedule "always"

            set service "ALL"

            set logtraffic all

        next

    end

     

    SOCPUPFGT02 # diag firewall fqdn list | grep www.ex

    www.example.com: ID(49) ADDR(93.184.216.34)

     

    So in this case you need a working dns-server in order to resolve A and AAAA records to their respective ipv4 and ipv6 addresses. Also when you have multiple ip addresss for a single A record it will resolves all ipv4s

     

    e.g 

    SOCPUPFGT02 # diag firewall fqdn list | grep login.windows.net

    login.windows.net: ID(140) ADDR(40.126.28.12) ADDR(40.126.28.18) ADDR(40.126.28.19) ADDR(40.126.28.20) ADDR(40.126.28.21) ADDR(40.126.28.22) ADDR(40.126.7.32) ADDR(40.126.7.35)

     

    supports-MacBook-Pro:Downloads ken$ host -t a login.windows.net

    login.windows.net is an alias for a.privatelink.msidentity.com.

    a.privatelink.msidentity.com is an alias for prda.aadg.msidentity.com.

    prda.aadg.msidentity.com is an alias for www.tm.a.prd.aadg.akadns.net.

    www.tm.a.prd.aadg.akadns.net has address 40.126.28.18

    www.tm.a.prd.aadg.akadns.net has address 40.126.28.12

    www.tm.a.prd.aadg.akadns.net has address 40.126.28.20

    www.tm.a.prd.aadg.akadns.net has address 40.126.28.22

    www.tm.a.prd.aadg.akadns.net has address 40.126.7.35

    www.tm.a.prd.aadg.akadns.net has address 40.126.7.32

    www.tm.a.prd.aadg.akadns.net has address 40.126.28.19

    www.tm.a.prd.aadg.akadns.net has address 40.126.28.21

     

     

    On dns-filter, read the following 

     

    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/605868/dns-filter

     

    BTW all all modern firewalls works the same as the above.

     

    Ken Felix

    Terms & ConditionsAccessibility statement