Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msanjaypadma
Staff
Staff

Created on ‎12-01-2024 11:50 PM Edited on ‎06-18-2025 05:42 AM By Community Manager

Article Id 360237

Technical Tip: Access to WILDCARD FQDN using SSL VPN

Description

 

This article describe how to access multiple site which have same domain name (wildcard FQDN) using SSL VPN.

 

Scope

 

FortiGate.

 

Solution

 

To meet this requirement, follow the steps outlined below :

 

 

  1. Set up SSL VPN settings. For additional details, refer to the article below: SSL VPN full tunnel for remote user

 

1.PNG

 

  1. Go to VPN -> SSL-VPN Portals, select an SSL VPN portal, enable split tunneling, and leave the Routing Address field blank.

 

2.PNG

 

  1. To configure a wildcard FQDN, navigate to Policy & Objects -> Addresses, and then create a new address object. Make sure to specify the wildcard in the appropriate format (e.g., `*.yourdomain.com`) for the FQDN.

 

3.PNG

 
In this scenario, the wildcard FQDN is configured for  '*.dropbox.com'.

 

  1. To configure a firewall policy, navigate to Policy & Objects -> Firewall Policy and select 'Create New'. Set up the rule to apply from the ssl.root interface to the desired exit interface (in the example below, it is configured as port1). Specify the source details and the user group information, and for the destination, use a WILDCARD FQDN. Refer to the snapshot below for further details.

 

4.PNG
5. Create a DNS traffic policy for SSL VPN users to flow through the firewall. Make sure destination field configured as only DNS Server IP address.

9.PNG

 

Note:

At the initial stage, if a user connects to SSL VPN, the Wildcard FQDN route will not be installed on the user's system because the FortiGate DNS database will not have the IP resolution available.

To verify the route in Windows, use the command: `route print`.

To check the FQDN IP resolution on FortiGate, run the following command:

diagnose test application dnsproxy 6  

 

Or:

 

diagnose firewall fqdn list


For v7.0 and later:


diagnose firewall fqdn list-all

 

5.PNG

 

6.png

 
Once the user generates DNS traffic towards the destination, the route will be installed in the FortiGate DNS cache. However, this route will not be installed on the user’s system immediately or dynamically. The SSLVPN remote user will need to disconnect from the SSLVPN and then reconnect to have the routes installed on their system.

 

7.png

 

8.png

 

Summary of Steps:

  1. The user generates DNS traffic to the desired destination.
  2. The route gets cached in FortiGate's DNS cache.
  3. To install the route on the user's system:
  • Disconnect from SSL VPN.
  • Reconnect to SSL VPN.

The routes will only be properly installed on the user's system after the reconnection.

1421
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.