Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rk1
Staff
Staff

Created on ‎06-30-2021 03:33 AM Edited on ‎09-02-2024 08:59 AM By Moderator

Article Id 196844

Technical Tip: FQDN based firewall policies are not working intermittently

Description

 

This article describes FQDN address objects that are used in firewall policies that are not working intermittently.

 

Scope

 

FortiGate, FortiOS.

Solution

 

When a FQDN-based destination address object in firewall policies is used, whenever incoming traffic coming from LAN to WAN, it should hit the configured firewall policy with the FQDN destination object, if all the other required fields match the firewall policy.

If the traffic is not hitting the expected FQDN-based firewall policy, follow the below steps:

 

  1. Check if the FortiGate can resolve the domain:

  
It is also possible to verify the DNS cache using the below commands on FortiGate :
 
diagnose firewall fqdn list
 
Note: The above commands were replaced in newer versions of firmware as follows:
 
diagnose  firewall  fqdn list ?
list-ip     List IP FQDN.
list-mac    List MAC FQDN.

list-all    List FQDN.

 
diagnose test application dnsproxy
 
For v7.0 and later:
 
diagnose firewall fqdn list-ip
diagnose test application dnsproxy 6
 
  1. If FortiGate can resolve to an IP address, make sure the DNS settings on FortiGate and the client machine are the same.
     

      
     
  2. If the DNS settings configured on FortiGate and the client machine are different, configure the FortiGate or client machine to use the same DNS server and flush the client DNS cache using "ipconfig /flushdns" and check if that resolved the issue.
  3. If the issue still persists after configuring the same DNS server settings on both FortiGate and client machines and if the destination FQDN resolves to a different IP very frequently, try with wildcard FQDN object instead of the full FQDN.
  4. Sometimes, the default ttl (time-to-live) value of the FQDN is very small, so we might observe that IP resolution on endpoint and FGT are different at times, even when using same DNS Servers. It is good to increase the cache-ttl value for that FQDN on the FGT.

     

    config firewall address

        edit "example.com”

            set type fqdn

            set fqdn "example.com"

            set cache-ttl 86400    <- {0 - 86400 in seconds}, where 0 means default.

        next

    end


About Wildcard FQDNs:

  • Support for wildcard FQDN addresses in firewall policy has been included in v6.2.2.
  • When the wildcard FQDN has been configured, it will show as unresolved FQDN in the firewall address list.
  • As compared to the standard FQDNs, the wildcard FQDN does not use system DNS settings (Network -> DNS).
  • The wildcard FQDN is updated when a DNS query is made from a host connected to FortiGate (DNS traffic passing through a FortiGate).
  • If the query matches the wildcard FQDN, the IP address is added to the cache for that object on the FortiGate. Make sure that the DNS traffic is passing through the FortiGate.

  • Note that the dns-udp session helper is configured by default. If an administrator removes the dns-udp session helper, wildcard FQDNs will not be resolved when devices behind FortiGate attempt DNS queries.

 

config system session-helper
...
   edit 14
       set name dns-udp
       set protocol 17
       set port 53
   next
end

 
Related documents:
54126
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.