Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎09-29-2025 07:38 AM Edited on ‎10-07-2025 08:06 AM By Moderator

Article Id 412936

Troubleshooting Tip: Incorrect Policy Hit for FQDN Traffic

Description

 

This article describes how to troubleshoot FQDN traffic hitting incorrect policies.

 

Scope

 

FortiGate.

 

Solution

 

Traffic intended for specific allowed URLs/FQDNs is not hitting the top-priority policy and is instead being matched with another policy.

 

Picture1.png

 

Even though a dedicated FQDN policy is on top, the traffic matches the all policy. It is because the wildcard FQDN is not resolved to the IP address:

 

erbium-kvm56 # diagnose firewall fqdn list-all | grep -A3 "hdfcbank"
fqdn_u 0x56454cc7ea3b *hdfcbank.com: type:(1) ID(929) count(0) generation(1) data_len:0 flag: 1
Total ip fqdn range blocks: 0.
Total ip fqdn addresses: 0.

 

198_day__radius_session.png

 

The PC is configured to use 8.8.8.8 as its DNS server, and with Chrome's 'Use Secure DNS' enabled by default, DNS traffic to 8.8.8.8 is encrypted via DoH, resulting in encrypted DNS traffic on the FortiGate.

 

Radius_session_stuck.png

 

198_day__radius_session.png

 

On the FortiGate ('FGT'), a wildcard FQDN address object (e.g., .example.com) is used in the firewall policy. For proper functionality, the FortiGate must receive the DNS response (A/AAAA records) to resolve the FQDN to IP addresses and store them in the DNS database. If the client browser has 'Use Secure DNS' enabled (e.g., DNS over HTTPS (DoH) or DNS over TLS (DoT)), DNS queries will be encrypted when passing through the FortiGate, as a result, the FortiGate will not see the DNS response and it does not map the domain resolution, and the wildcard FQDN object may not function as intended. Therefore, the 'Use Secure DNS' option should be disabled on client browsers when policies depend on wildcard FQDN objects.

 

Solution that can be implemented in this scenario.

  • The article below can be referred to for disabling Use Secure DNS on the browser.
    Disable DNS over HTTPS on enterprise browsers
  • For enforcing settings on client PCs, a GPO can be pushed for Active Directory–joined devices, Intune/Endpoint Manager can be used for cloud-managed PCs, and registry edits or script pushes can be applied on non-domain devices.
  • Private DNS can be set up as the queries are received via plain DNS (UDP/53). DOH can be disabled on the private DNS server. To allow the FortiGate to inspect DNS responses, private DNS queries should be routed through the FortiGate.
  • FortiGate can also be configured as a recursive DNS server to handle and resolve the queries directly.

 

Once the FortiGate was configured as a recursive DNS server and the FortiGate gateway IP was set as the DNS server on clients, the wildcard FQDN policy began functioning correctly.

 

erbium-kvm56 # diagnose firewall fqdn list-all | grep -A5 "hdfcbank"
fqdn_u 0x56454cc7fa1c *hdfcbank.com: type:(1) ID(929) count(2) generation(2) data_len:26 flag: 1
ip list: (1 ip in total)
ip: 104.17.6.56
ip list: (1 ip in total)
ip: 104.16.36.67
Total ip fqdn range blocks: 2.

 

198_day__radius_session.png

 

Note:

To enable FortiGate to handle DNS-over-HTTPS (DoH) traffic, Deep Packet Inspection (DPI) can be used to decrypt the DNS queries. Even with DPI enabled, the DPI certificate must be installed on all client machines to allow proper inspection and resolution of the DNS traffic.

346
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.