FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rk1
Staff
Staff
Article Id 196844
Description
This article describes  FQDN address objects which are used in firewall policies are not working intermittently.

Solution
When a FQDN based destination address object in firewall policies is used, whenever an incoming traffic coming from LAN to WAN, it should hit the configured firewall policy with the FQDN destination object, if all the other required fields match the firewall policy.

If the traffic is not hitting the expected FQDN based firewall policy, follow the below steps:

1) Check if the FortiGate is able to resolve the domain:





It is also possible to verify the DNS cache using below commands on FortiGate :
# diagnose firewall fqdn list
# diagnose test application dnsproxy 6
2) If FortiGate is able to resolve to an IP address, make sure if the DNS settings on FortiGate and the client machine are the same.





3) If the DNS settings configured on FortiGate and client machine are different, configure the FortiGate or client machine to use the same DNS server and flush the client DNS cache using 'ipconfig /flushdns' and check if that resolved the issue.

4) If the issue still persists after configuring the same DNS server settings on both FortiGate and client machine and if the destination FQDN resolves to a different IP very frequently, try with wildcard FQDN object instead of the full FQDN.

About Wildcard FQDN.

- Support for wildcard FQDN addresses in firewall policy has been included in FortiOS 6.2.2.
- When the wildcard FQDN has been configured, it will show as unresolved FQDN in the firewall address list.
- As compared to the standard FQDNs, the wildcard FQDN does not use system DNS settings (Network -> DNS).
- The wildcard FQDN is updated when a DNS query is made from a host connected to FortiGate (DNS traffic passing through a FortiGate).
- If the query matches the wildcard FQDN, the IP address is added to the cache for that object on the FortiGate. Please make sure that the DNS traffic is passing through the FortiGate.



Related Articles

Technical Tip: Using wildcard FQDN

Contributors