Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aishaqui
New Contributor III

Created on ‎08-09-2022 09:03 AM Edited on ‎07-24-2024 12:16 AM By Community Manager

Article Id 220344

Technical Tip: Improve FQDN re-query interval on FortiGate

Description

This article describes how to improve the FQDN re-query interval on FortiGate.

When the DNS server sends back round-robin or GSLB-based replies, then the FortiGate FQDN address object and the client requesting the DNS resolution can have different IPs because the GSLB resolution changes every few seconds (could be 4 or 5 seconds) and thus the traffic is blocked.

 

Take the example of FQDN cfengine-package-repos.s3.amazonaws.com. nslookup to cfengine-package-repos.s3.amazonaws.com gives the below result.

 

Non-authoritative answer:

Name:    s3-w.us-east-1.amazonaws.com

Address:  52.216.102.115

Aliases:  cfengine-package-repos.s3.amazonaws.com

          s3-1-w.amazonaws.com

 

If Wireshark runs on the client machine and the DNS reply for s3-1-w.amazonaws.com is checked, the TTL would be 5 seconds or less.

 

Before v7.2.1, there was a hard-coded minimal FQDN re-query interval of 60 seconds, but starting from v7.2.1, this hard-coded timer can now be modified so that FortiGate can re-query the FQDN more frequently.
Scope FortiGate v7.2.1 +
Solution

The 'fqdn-min-refresh' interval can be set between 10 sec and 3600 sec.

 

config system dns

    set fqdn-min-refresh 10

end

 

The minimum refresh is the lowest allowed refresh time. i.e. the FQDN cache cannot refresh at an interval shorter than this value.

Using this setting, FQDNs that require fast resolutions can refresh at a faster rate without impacting other FQDNs that have longer TTL records.

 

Starting from FortiOS v7.4, a new setting has been introduced to manage the upper limit of the FQDN refresh timer. The 'fqdn-max-refresh' setting is employed to govern the global upper limit of the FQDN refresh timer.

 

For FQDN entries with a time to live (TTL) exceeding the maximum refresh value, their refresh timer will be adjusted to this upper limit. This feature empowers FortiGate to set the maximum limit for querying DNS updates for its FQDN addresses.

 

By default, the fqdn-max-refresh time is 3600 seconds, and the configurable range is 3600 to 86400 seconds.

 

config system dns

    set fqdn-max-refresh <integer value>

end

 

Note: 

fqdn-min-refresh and fqdn-max-refresh settings cannot be configured on vdom-dns.
10271
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.