Solution |
Support for wildcard FQDN addresses in firewall policy has been added in FortiOS 6.2.2. Unlike standard FQDNs, the wildcard FQDN is updated when a DNS query (response) traverses the FortiGate.
If the name in the DNS response matches the wildcard FQDN, the IP address is added to the cache for that object on the FortiGate.
In case VDOMs are in use the DNS response must traverse the specific VDOM in which the wildcard FQDN is configured.
In case the address objects are not getting populated it is possible to check:
- Confirm the DNS queries and responses are traversing the FortiGate/particular VDOM.
- If the DNS uses UDP protocol on port 53 ensure that a DNS helper is used.
This can be checked in the debug flow:
id=65308 trace_id=1 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=17, 10.254.3.215:49853->8.8.8.8:53) tun_id=0.0.0.0 from lan. " id=65308 trace_id=1 func=init_ip_session_common line=5980 msg="allocate a new session-00004105, tun_id=0.0.0.0" id=65308 trace_id=1 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-192.0.2.1 via wan1" id=65308 trace_id=1 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=2" id=65308 trace_id=1 func=get_new_addr line=1235 msg="find SNAT: IP-192.0.2.177(from IPPOOL), port-49853" id=65308 trace_id=1 func=fw_forward_handler line=994 msg="Allowed by Policy-1: SNAT" id=65308 trace_id=1 func=__ip_session_run_tuple line=3393 msg="SNAT 10.254.3.215->192.0.2.177:49853" id=65308 trace_id=1 func=__ip_session_run_tuple line=3445 msg="run helper-dns-udp(dir=original)" id=65308 trace_id=2 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=17, 8.8.8.8:53->192.0.2.177:49853) tun_id=0.0.0.0 from wan1. " id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5885 msg="Find an existing session, id-00004105, reply direction" id=65308 trace_id=2 func=__ip_session_run_tuple line=3407 msg="DNAT 192.0.2.177:49853->10.254.3.215:49853" id=65308 trace_id=2 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-10.254.3.215 via lan" id=65308 trace_id=2 func=npu_handle_session44 line=1201 msg="Trying to offloading session from wan1 to lan, skb.npu_flag=00000000 ses.state=00010200 ses.npu_state=0x04000000" id=65308 trace_id=2 func=fw_forward_dirty_handler line=436 msg="state=00010200, state2=00000000, npu_state=04000000" id=65308 trace_id=2 func=__ip_session_run_tuple line=3445 msg="run helper-dns-udp(dir=reply)"
Or session list:
session info: proto=17 proto_state=01 duration=8 expire=171 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=dns-udp vlan_cos=0/255 state=may_dirty npu statistic(bytes/packets/allow_err): org=60/1/1 reply=76/1/1 tuples=2 tx speed(Bps/kbps): 6/0 rx speed(Bps/kbps): 8/0 orgin->sink: org pre->post, reply pre->post dev=34->7/7->34 gwy=192.0.2.1/10.254.3.215 hook=post dir=org act=snat 10.254.3.215:49853->8.8.8.8:53(192.0.2.177:49853) hook=pre dir=reply act=dnat 8.8.8.8:53->192.0.2.177:49853(10.254.3.215:49853) misc=0 policy_id=1 pol_uuid_idx=550 auth_info=0 chk_client_info=0 vd=0 serial=00004105 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x4000000 npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000 vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0) npu_state_err=00/04
- In case the DNS uses DoH/DoT ensure that a full inspection is being used, so FortiGate can decrypt the traffic.
- Another mandatory condition is (the default, per VDOM, setting):
config system network-visibility set destination-hostname-visibility enabled end
Important facts to keep in mind:
- FortiGate updates wildcard FQDN when a DNS query (response) traverses it, caches the entry, and removes it an expiration time for this entry, defined by cache timeout/TTL, expires:
config firewall address
edit "*.fqdn"
set cache-ttl 86400 <- maximum value.
- Each browser on the endpoint has its own DNS cache, which is usually 60 seconds.
- What can happen is that the cached entry on FortiGate expires and the entry on the browser does not.
- This can lead to a potential drop in the traffic for almost a minute until the endpoint sends a new DNS request and FortiGate updates its wildcard FQDN entry.
Related articles:
|