There are a few options to address this to make sure the IP resolved by a user is also used in FortiGate.
- Change cache-ttl for individual FQDN type address object. This is an option if only a limited '#' of FQDN have such an issue:
config firewall address edit "FQDN_s3-fips.us-gov-west-1.amazonaws.com/" set type fqdn set fqdn "s3-fips.us-gov-west-1.amazonaws.com" set cache-ttl 86400 <----- Default value is 0. next
In the example above, the default cache-ttl is 0. It means it will use the global setting defined under 'config system dns' fqdn-cache-ttl. (available since 7.2)
The default value for fqdn-cache-ttl is also 0. It means it will use the value provided by the DNS query response. In this specific case, it is 5 seconds and very short.
To overcome this, set cache-ttl under each FQDN type address object, this has higher priority over the global setting (fqdn-cache-ttl).
Related document:
config firewall address
- Change fqdn-cache-ttl in the global DNS setting.
If many FQDN-based address objects have such an issue, it would be easier to change the global setting. It is still possible to customize cache-ttl for each object if needed:
config system DNS set primary 208.91.112.53 set secondary 8.8.8.8 set dns-cache-limit 5000 set dns-cache-ttl 1800 set fqdn-cache-ttl 0 set fqdn-min-refresh 60 end
Note:
When choosing the value for fqdn-cache-ttl or cache-ttl, not necessarily the longer the better (max is 86400). For a stable setting, that could be true, but for a dynamic cloud-based service, choose a value that is small enough that in case the service provider makes a change (removing IP entry), the removed IP does not have to stay in the cache for too long.
Notes for a few important settings here:
- dns-cache-limit 5000: The default value is not bad, if memory is not a concern, increasing such value will allow FortiGate to accommodate more DNS entries in the cache, and it can improve the DNS query response time after the limit is reached. To view the changed dns-cache-limit, use the following command:
diag test application dnsproxy 3
- dns-cache-ttl 1800: This is the default cache TTL for DNS, this can be tracked by the command below. When this '#' is changed, the DNS cache is cleared and refreshed.
diagnose test application dnsproxy 7 worker idx: 0 vfid=0, name=www.youtube.com, ttl=116:116:1799 142.251.116.91 (ttl=116) 142.250.113.91 (ttl=116) 142.250.114.91 (ttl=116) 142.250.114.93 (ttl=116) 142.250.113.136 (ttl=116) 142.250.115.91 (ttl=116) 142.250.114.136 (ttl=116) 142.250.113.93 (ttl=116) 142.250.115.93 (ttl=116) 142.250.138.93 (ttl=116) 142.251.116.190 (ttl=116) 142.251.116.93 (ttl=116) 142.250.115.136 (ttl=116) 142.250.114.190 (ttl=116) 142.251.116.136 (ttl=116) 142.250.113.190 (ttl=116)
- fqdn-min-refresh 60: 60 seconds is the default value for FQDN refresh if the TTL for a FQDN is 5 seconds. The minimum refreshed time for FortiGate is still 60 seconds, the actual query performed is 5 seconds before the value set here. With the default setting, it is every 55 seconds.
- fqdn-cache-ttl 0: This is explained above, to track the value, you can use the command below.
In this example, this FQDN has 124 active IPs in the FQDN cache. This means after setting it up, it may take some time for all of the possible IPs to be cached before this time is reached, there is still a chance that the user may resolve to an IP that is not yet available in the FortiGate FQDN cache. In such a case, the Firewall policy will not be hit.
To shorten the initial time, choose to reduce the fqdn-min-refresh, remember this setting has a global impact (all VDOM).
In this example below, min_ttl from DNS server is 5 seconds. cache_ttl (defined under address object) is 86400. For the first entry 108.175.48.22 (ttl=5:0:55356), it still has 55356 seconds before it is removed from the FQDN cache:
Forti (global) # diagnose test application dnsproxy 6 worker idx: 0 vfid=0 name=s3-fips.us-gov-west-1.amazonaws.com ver=IPv4 wait_list=0 timer=16 min_refresh=60 min_ttl=5 cache_ttl=86400 slot=-1 num=124 wildcard=0 108.175.48.22 (ttl=5:0:55356) 108.175.49.22 (ttl=5:0:57062) 108.175.48.66 (ttl=5:0:58713) 108.175.48.38 (ttl=5:0:60860) 108.175.48.74 (ttl=5:0:61741) 108.175.50.22 (ttl=5:0:63282) 108.175.49.6 (ttl=5:0:67191) 108.175.49.50 (ttl=5:0:67466) 108.175.49.66 (ttl=5:0:68402) 108.175.50.14 (ttl=5:0:68787) 108.175.49.46 (ttl=5:0:68952) 108.175.50.26 (ttl=5:0:69943) 108.175.50.166 (ttl=5:0:70988) 108.175.49.54 (ttl=5:0:71098) 108.175.50.6 (ttl=5:0:72199) 108.175.50.38 (ttl=5:0:72585) 108.175.48.194 (ttl=5:0:73025) 108.175.48.90 (ttl=5:0:73190) 108.175.49.86 (ttl=5:0:74291) 108.175.48.50 (ttl=5:0:75337) 108.175.48.62 (ttl=5:0:75447) 108.175.48.94 (ttl=5:0:75667) 108.175.48.190 (ttl=5:0:75887) 108.175.49.150 (ttl=5:0:75917) 108.175.50.78 (ttl=5:0:76217) 108.175.50.42 (ttl=5:0:76603) 108.175.49.134 (ttl=5:0:76768) 108.175.49.10 (ttl=5:0:76988) 108.175.50.2 (ttl=5:0:77043) 108.175.49.166 (ttl=5:0:77263) 108.175.48.70 (ttl=5:0:77318) 108.175.48.6 (ttl=5:0:77373) 108.175.49.170 (ttl=5:0:77538) 108.175.50.194 (ttl=5:0:77648) 108.175.50.10 (ttl=5:0:77814) 108.175.49.162 (ttl=5:0:77924) 108.175.49.178 (ttl=5:0:78488) 108.175.50.82 (ttl=5:0:78873) 108.175.48.134 (ttl=5:0:79038) 108.175.48.186 (ttl=5:0:79313) 108.175.49.18 (ttl=5:0:79534) 108.175.49.198 (ttl=5:0:79589) 108.175.50.18 (ttl=5:0:79644) 108.175.49.58 (ttl=5:0:79809) 108.175.48.78 (ttl=5:0:79864) 108.175.49.186 (ttl=5:0:79974) 108.175.49.182 (ttl=5:0:80029) 108.175.50.66 (ttl=5:0:80084) 108.175.49.154 (ttl=5:0:80194) 108.175.50.150 (ttl=5:0:80525) 108.175.50.94 (ttl=5:0:80580) 108.175.48.18 (ttl=5:0:81130) 108.175.49.90 (ttl=5:0:81240) 108.175.50.162 (ttl=5:0:81350) 108.175.50.30 (ttl=5:0:81405) 108.175.50.182 (ttl=5:0:81460) 108.175.48.198 (ttl=5:0:81515) 108.175.50.146 (ttl=5:0:81625) 108.175.49.146 (ttl=5:0:81845) 108.175.50.198 (ttl=5:0:81901) 108.175.50.142 (ttl=5:0:81956) 108.175.48.2 (ttl=5:0:82011) 108.175.49.30 (ttl=5:0:82066) 108.175.49.14 (ttl=5:0:82176) 108.175.48.174 (ttl=5:0:82231) 108.175.48.42 (ttl=5:0:82451) 108.175.49.62 (ttl=5:0:82506) 108.175.50.62 (ttl=5:0:82561) 108.175.49.74 (ttl=5:0:82616) 108.175.48.170 (ttl=5:0:82671) 108.175.50.70 (ttl=5:0:82781) 108.175.48.34 (ttl=5:0:82836) 108.175.50.186 (ttl=5:0:83001) 108.175.48.30 (ttl=5:0:83056) 108.175.48.142 (ttl=5:0:83111) 108.175.50.138 (ttl=5:0:83167) 108.175.50.74 (ttl=5:0:83222) 108.175.48.46 (ttl=5:0:83398) 108.175.48.10 (ttl=5:0:83508) 108.175.50.90 (ttl=5:0:83563) 108.175.50.46 (ttl=5:0:83618) 108.175.49.82 (ttl=5:0:83674) 108.175.49.94 (ttl=5:0:83729) 108.175.50.50 (ttl=5:0:83784) 108.175.49.78 (ttl=5:0:84059) 108.175.50.178 (ttl=5:0:84114) 108.175.49.38 (ttl=5:0:84169) 108.175.48.182 (ttl=5:0:84224) 108.175.50.58 (ttl=5:0:84279) 108.175.48.54 (ttl=5:0:84389) 108.175.49.190 (ttl=5:0:84444) 108.175.49.70 (ttl=5:0:84499) 108.175.50.34 (ttl=5:0:84522) 108.175.49.34 (ttl=5:0:84632) 108.175.48.150 (ttl=5:0:84687) 108.175.49.194 (ttl=5:0:84742) 108.175.50.190 (ttl=5:0:84797) 108.175.49.138 (ttl=5:0:84853) 108.175.48.138 (ttl=5:0:84963) 108.175.50.130 (ttl=5:0:85018) 108.175.48.202 (ttl=5:0:85128) 108.175.49.2 (ttl=5:0:85183) 108.175.49.130 (ttl=5:0:85238) 108.175.50.174 (ttl=5:0:85293) 108.175.48.206 (ttl=5:0:85348) 108.175.49.158 (ttl=5:0:85403) 108.175.50.158 (ttl=5:0:85458) 108.175.49.174 (ttl=5:0:85513) 108.175.49.26 (ttl=5:0:85568) 108.175.50.54 (ttl=5:0:85623) 108.175.48.178 (ttl=5:0:85678) 108.175.49.142 (ttl=5:0:85733) 108.175.50.86 (ttl=5:0:85788) 108.175.50.134 (ttl=5:0:85843) 108.175.48.130 (ttl=5:0:85898) 108.175.48.14 (ttl=5:0:85922) 108.175.48.58 (ttl=5:0:85977) 108.175.49.42 (ttl=5:0:86032) 108.175.48.162 (ttl=5:0:86087) 108.175.48.26 (ttl=5:0:86142) 108.175.50.154 (ttl=5:0:86197) 108.175.50.170 (ttl=5:0:86252) 108.175.48.146 (ttl=5:0:86307) 108.175.48.166 (ttl=5:0:86362)
If multi-vdom is enabled, the diagnose test application is run under global VDOM. The command below run under each VDOM (such as root) can return similar result:
Forti (root) # diagnose firewall fqdn getinfo-ip s3-fips.us-gov-west-1.amazonaws.com getinfo s3-fips.us-gov-west-1.amazonaws.com id:205 generation:130 count:124 data_len:1612 flag 1
Forti (root) # diagnose firewall fqdn getinfo-ip agw1ps3nessrms.s3-fips.us-gov-west-1.amazonaws.com
....
...
ip list: (1 ip in total) ip: 108.175.48.206 Total ip fqdn range blocks: 124. Total ip fqdn addresses: 124.
Only the last two IP entries are posted here.
For details, refer to the documents and CLI references:
Important DNS CLI commands
config system dns
Related KB articles:
Technical Tip: FortiGate Troubleshooting DNS commands Troubleshooting Tip: FQDN address object shows unresolved in GUI after upgrading to FortiOS v7.2.6 o... Troubleshooting Tip: How to verify the FDQN IP address in DNS cache Technical Tip: FQDN based firewall policies are not working intermittently Technical Tip: Improve FQDN re-query interval on FortiGate Technical Tip: Explanation of the FQDN default cache-ttl |