DescriptionThis article describes FQDN address objects which are used in firewall policies are not working intermittently.SolutionWhen a FQDN based destination address object in firewall policies is used, whenever an incoming traffic coming from LAN to WAN, it should hit the configured firewall policy with the FQDN destination object, if all the other required fields match the firewall policy.
If the traffic is not hitting the expected FQDN based firewall policy, follow the below steps:
1) Check if the FortiGate is able to resolve the domain:
It is also possible to verify the DNS cache using below commands on FortiGate :
# diagnose firewall fqdn list2) If FortiGate is able to resolve to an IP address, make sure if the DNS settings on FortiGate and the client machine are the same.
# diagnose test application dnsproxy 6
3) If the DNS settings configured on FortiGate and client machine are different, configure the FortiGate or client machine to use the same DNS server and flush the client DNS cache using 'ipconfig /flushdns' and check if that resolved the issue.
4) If the issue still persists after configuring the same DNS server settings on both FortiGate and client machine and if the destination FQDN resolves to a different IP very frequently, try with wildcard FQDN object instead of the full FQDN.
About Wildcard FQDN.
- Support for wildcard FQDN addresses in firewall policy has been included in FortiOS 6.2.2.
- When the wildcard FQDN has been configured, it will show as unresolved FQDN in the firewall address list.
- As compared to the standard FQDNs, the wildcard FQDN does not use system DNS settings (Network -> DNS).
- The wildcard FQDN is updated when a DNS query is made from a host connected to FortiGate (DNS traffic passing through a FortiGate).
- If the query matches the wildcard FQDN, the IP address is added to the cache for that object on the FortiGate. Please make sure that the DNS traffic is passing through the FortiGate.
Technical Tip: Using wildcard FQDN