Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
WinterSnowYap
Staff
Staff

Created on ‎03-08-2023 10:06 PM Edited on ‎07-31-2025 07:48 AM By Moderator

Article Id 248390

Technical Tip: Wildcard FQDN show unresolved IP address issue

 

Description

This article describes a solution to resolve the IP address for Wildcard FQDN. 

Wildcard FQDN shows an unresolved IP address and the user is unable to access the URLs if that applied Wildcard FQDN at firewall policy.
Scope FortiGate.
Solution

Issue scenario:

'*.playstation.com' is used as an example for Wildcard FQDN with the targeted URL included:

- www.playstation.com

- store.playstation.com

 

After creating a Wildcard FQDN, it will show an Unresolved FQDN when hovered.

 

KenYap_0-1678254096476.png

 

KenYap_2-1678254485407.png

 

If this Wildcard FQDN is applied to the policy, it will not function properly as this Wildcard FQDN does not have any IP address information for the related URLs.

 

Solution: 

 

For FQDN address objects to resolve, DNS queries must pass through the FortiGate. Below is a guide to resolving the IP address for Wildcard FQDN created on the FortiGate (when DNS traffic is not encrypted).

 

A policy with DNS service is required to be created and put on top of the Wildcard FQDN address policy.

 

KenYap_3-1678254760549.png

   

When any URLs related to Wildcard FQDN are reached, it will hit the above DNS policy 1st and the IP address of the URLs will be recorded inside Wildcard FQDN.

 

KenYap_4-1678255025082.png

 

After access to the related URLs, hover again on the Wildcard FQDN, this time it will show the IP address information.

 

If the issue persists, run packet capture and check the DNS response in Wireshark. If the client DNS server is 8.8.8.8, run the following command:  

 

diag sniffer packet any 'host 8.8.8.8 and port 53' 6 0 l

 

Lab- KB-2.PNG

 

The DNS response shows no results from the DNS server, so FortiGate is not able to update the FQDN. 

Note: most browsers (Chrome, Firefox, Edge, etc) can encrypt the DNS traffic. Below is an example of secure DNS being enabled on Chrome. 

 

secure DNS.PNG

 

When DNS traffic is encrypted, FortiGate will not be able to see encrypted DNS traffic unless 'Deep Packet Inspection' is enabled on the policy used by DNS traffic. In FortiGate SSL deep inspection profile, make sure the DNS over TLS option is enabled, so FortiGate can decrypt the DNS response traffic.

 

               DoT-8.PNG


To contact support by phone:
FortiCare Technical Support

 

Related articles: 

Technical Tip: Using a wildcard FQDN

Technical Tip: How to configure wildcard-FQDN custom and group

Technical Tip: Improve FQDN re-query interval on FortiGate

Technical Tip: FQDN based firewall policies are not working intermittently

Troubleshooting Tip: Wildcard FQDN addresses are not getting populated

Technical Tip: Use Internet Service Database vs FQDN
Labels:
10355
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.