| Description |
This article describes a solution to resolve the IP address for Wildcard FQDN. Wildcard FQDN shows an unresolved IP address and the user is unable to access the URLs if that applied Wildcard FQDN at firewall policy. |
| Scope | FortiGate. |
| Solution |
Issue scenario: '*.playstation.com' is used as an example for Wildcard FQDN with the targeted URL included:
After creating a Wildcard FQDN, it will show an Unresolved FQDN when hovered.
If this Wildcard FQDN is applied to the policy, it will not function properly as this Wildcard FQDN does not have any IP address information for the related URLs.
Solution:
Note: For FQDN address objects to resolve, DNS queries must pass through the FortiGate. However, most browsers (Chrome, Firefox, Edge, etc) can encrypt the DNS traffic. When DNS traffic is encrypted, FortiGate will not be able to see encrypted DNS traffic unless 'Deep Packet Inspection' is enabled. Below is an example of secure DNS being enabled on Chrome.
Below is the guide to resolving the IP address for Wildcard FQDN created on the FortiGate (when DNS traffic is not encrypted).
A policy with DNS service is required to be created and put on top of the Wildcard FQDN address policy.
When any URLs related to Wildcard FQDN are reached, it will hit the above DNS policy 1st and the IP address of the URLs will be recorded inside Wildcard FQDN.
After access to the related URLs, hover again on the Wildcard FQDN, this time it will show the IP address information.
Related articles: Technical Tip: Using a wildcard FQDN Technical Tip: How to configure wildcard-FQDN custom and group Technical Tip: Improve FQDN re-query interval on FortiGate Technical Tip: FQDN based firewall policies are not working intermittently Troubleshooting Tip: Wildcard FQDN addresses are not getting populated |
