Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lbruno
Staff
Staff

Created on ‎06-07-2021 12:40 PM Edited on ‎10-28-2025 08:23 AM By Moderator

Article Id 198509

Technical Tip: FQDN Wildcard address is not resolved when using it in Firewall Policies

Description

 

This article describes how to explain why the user-defined FQDN Wildcards may not be working as expected.

It is possible that a scenario where an FQDN Wildcard object is created, and although it is used in a firewall policy, the traffic is not being allowed.
This usually happens if there is no UDP DNS session helper enabled, as the traffic will not be correctly matched because DNS resolution will not be performed properly.

This helper is enabled by default, but it may have been removed for some reason, so always check before using FQDN Wildcards.

Solution

 

Consider the following session helper configuration:

 
And the following firewall rules, one to allow DNS queries to flow through FortiGate and a second one to allow domain *.fortinet.com to use a wildcard: Technical Tip: Using a wildcard FQDN.
 
 
 
With the session helper enabled, the DNS resolution being caught in the FortiGate will be visible for that object: Technical Tip: Using a wildcard FQDN.
 
 
It will be possible to reach a website within that domain, such as kb.fortinet.com.
 

 

But if, for some reason, the UDP DNS session helper is not present, the resolution will not be possible, and an empty FQDN list will be visible:

When dns-udp session helper is not configured, there will be a warning message when trying to configure cache-TTL on the wildcard FQDN firewall address: Warning: no dns-udp helper, wildcard FQDN may not resolve.

 

JeanPhilippe_P_0-1761664946317.png

 

To resolve this, dns-udp helper has to be configured (it is already configured by default):

 

config system session-helper

    edit 14

        set name dns-udp

        set protocol 17

        set port 53

end

 

As a consequence, that URL or any other URL matching that wildcard will be dropped by the implicit denied rule.

 
Note: If the DNS query from an endpoint is made to an internal DNS server and this DNS traffic does not pass through the FortiGate, then the query from the DNS Server to the Forwarder (could be internal or external), to resolve the FQDN, has to go through the FortiGate, so FortiGate can cache the resolution and update the wildcard FQDN object.
 
Extra Tip:
FQDN Wildcards do not always keep up with cloud services whose IP addresses change constantly. In these cases, relying solely on FQDNs can block or drop traffic unexpectedly. To stay safe, combine FQDNs with IP-based objects or dynamic updates so the firewall always allows the right traffic.
 
Related articles:
Labels:
14466
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.