FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description Although FortiOS will allow you to include a wildcard (*) when defining a firewall address of type FQDN, it is not recommended that such firewall addresses be used in a firewall policy.
To understand why wildcards should not be used for this purpose, consider how FQDN objects work in a Fortigate.
Fortigate creates an IP address table for all configured FQDNs.
config firewall address .... edit "cnn.com" set type fqdn set fqdn "cnn.com" next edit "www.cnn.com" set type fqdn set fqdn "www.cnn.com" next edit "*.cnn.com" set type fqdn set fqdn "*.cnn.com" next end
You can check this address table using the "diagnose firewall fqdn list" CLI command.
(root) # diagnose firewall fqdn list List all FQDN: *.cnn.com: ID(4) REF(1) www.cnn.com: ID(63) REF(1) ADDR(184.108.40.206) ADDR(220.127.116.11) ADDR(18.104.22.168) ADDR(22.214.171.124) ADDR(126.96.36.199) ADDR(188.8.131.52) ADDR(184.108.40.206) cnn.com: ID(172) REF(1) ADDR(220.127.116.11) ADDR(18.104.22.168)
This table is populated by performing a DNS query for each FQDN address. Consider how DNS resolution works for the FQDN objects in this example.