Description
This article describes FQDN address objects that are used in firewall policies that are not working intermittently.
Scope
FortiGate.
Solution
When a FQDN-based destination address object in firewall policies is used, whenever incoming traffic coming from LAN to WAN, it should hit the configured firewall policy with the FQDN destination object, if all the other required fields match the firewall policy.
If the traffic is not hitting the expected FQDN-based firewall policy, follow the below steps:
- Check if the FortiGate can resolve the domain:
It is also possible to verify the DNS cache using the commands below on FortiGate :
diagnose firewall fqdn list
For v7.0 and later:
diagnose firewall fqdn list-all
Note: The above commands were replaced in newer versions of firmware as follows:
diagnose firewall fqdn list ?
list-ip List IP FQDN.
list-mac List MAC FQDN.
list-all List FQDN.
diagnose test application dnsproxy
For v7.0 and later:
diagnose firewall fqdn list-ip
diagnose test application dnsproxy 6
diagnose test application dnsproxy 6
-
If FortiGate can resolve to an IP address, make sure the DNS settings on FortiGate and the client machine are the same.
-
If the DNS settings configured on FortiGate and the client machine are different, configure the FortiGate or client machine to use the same DNS server and flush the client DNS cache using "ipconfig /flushdns" and check if that resolves the issue.
-
If the issue persists after configuring the same DNS server settings on both FortiGate and client machines and if the destination FQDN resolves to a different IP very frequently, try with a wildcard FQDN object instead of the full FQDN.
-
Sometimes, the default TTL (time-to-live) value of the FQDN is very small, so we might observe that IP resolution on the endpoint and FortiGate are different at times, even when using the same DNS Servers. It is good to increase the cache-ttl value for that FQDN on the FortiGate.
config firewall address
edit "example.com”
set type fqdn
set fqdn "example.com"
set cache-ttl 86400 <- {0 - 86400 in seconds}, where 0 means default.
next
end
If the firewall fqdn address cache-ttl is set to 0 (default), the cache information will be ignored, and the global dns-cache-ttl (default = 1800s) will be used.
About Wildcard FQDNs:
- Support for wildcard FQDN addresses in firewall policy has been included in v6.2.2.
- When the wildcard FQDN has been configured, it will show as an unresolved FQDN in the firewall address list.
- As compared to the standard FQDNs, the wildcard FQDN does not use system DNS settings (Network -> DNS).
- The wildcard FQDN is updated when a DNS query is made from a host connected to FortiGate (DNS traffic passing through a FortiGate).
- If the query matches the wildcard FQDN, the IP address is added to the cache for that object on the FortiGate. Make sure that the DNS traffic is passing through the FortiGate.
-
Note that the dns-udp session helper is configured by default. If an administrator removes the dns-udp session helper, wildcard FQDNs will not be resolved when devices behind FortiGate attempt DNS queries.
config system session-helper
...
edit 14
set name dns-udp
set protocol 17
set port 53
next
end
Related documents:
Support for wildcard FQDN addresses in firewall policy 6.2.2
Technical Tip: Using wildcard FQDN
Technical Tip: FQDN Wildcard address is not resolved when using it in Firewall Policies
