Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bhpark
New Contributor

Blocking method when using FQDN filtering.

Hi,

 

Does anyone know how FortiGate works if it is blocked using FQDN filtering?

For example, VMware NSX-T Firewall works by blocking Destination IP through DNS Snooping.

 

Even if I look for related documents, I can't find an explanation of how to block them, so I ask for help like this.

 

Thanks,

1 REPLY 1
emnoc
Esteemed Contributor III

Not quite understanding the solution that you have but you have the following that is going to use dns.

 

The firewall ipv4 and ipv6 objects that can be enable as type FQDN and DNS filtering

 

With the former the fortigate looks up any object , caches the address that is matched to the FQDN rescoures type A , and if traffic matches that ip.address is permitted or deny based on the rule in your fortigate.

 

e.g 

config firewall policy

    edit 10

        set uuid 25bb47b4-17d7-51ec-af61-6b8089529356

        set srcintf "internal"

        set dstintf "wan1"

        set srcaddr "all"

        set dstaddr "www.example.com"

        set schedule "always"

        set service "ALL"

        set logtraffic all

    next

end

 

SOCPUPFGT02 # diag firewall fqdn list | grep www.ex

www.example.com: ID(49) ADDR(93.184.216.34)

 

So in this case you need a working dns-server in order to resolve A and AAAA records to their respective ipv4 and ipv6 addresses. Also when you have multiple ip addresss for a single A record it will resolves all ipv4s

 

e.g 

SOCPUPFGT02 # diag firewall fqdn list | grep login.windows.net

login.windows.net: ID(140) ADDR(40.126.28.12) ADDR(40.126.28.18) ADDR(40.126.28.19) ADDR(40.126.28.20) ADDR(40.126.28.21) ADDR(40.126.28.22) ADDR(40.126.7.32) ADDR(40.126.7.35)

 

supports-MacBook-Pro:Downloads ken$ host -t a login.windows.net

login.windows.net is an alias for a.privatelink.msidentity.com.

a.privatelink.msidentity.com is an alias for prda.aadg.msidentity.com.

prda.aadg.msidentity.com is an alias for www.tm.a.prd.aadg.akadns.net.

www.tm.a.prd.aadg.akadns.net has address 40.126.28.18

www.tm.a.prd.aadg.akadns.net has address 40.126.28.12

www.tm.a.prd.aadg.akadns.net has address 40.126.28.20

www.tm.a.prd.aadg.akadns.net has address 40.126.28.22

www.tm.a.prd.aadg.akadns.net has address 40.126.7.35

www.tm.a.prd.aadg.akadns.net has address 40.126.7.32

www.tm.a.prd.aadg.akadns.net has address 40.126.28.19

www.tm.a.prd.aadg.akadns.net has address 40.126.28.21

 

 

On dns-filter, read the following 

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/605868/dns-filter

 

BTW all all modern firewalls works the same as the above.

 

Ken Felix

PCNSE 

NSE 

StrongSwan