Using FortiOS 6.0.9. Need to run backups to a cloud server destination (*.domain.com). Was going to add an IPv4 policy with this address as the destination to exempt this traffic from normal antivirus, web filtering, DNS, etc. evaluation. I see that there is a Wildcard FQDN Address list. I created the address in this section but I can not list this address as the destination in the policy. I see that Wildcard FQDN Addresses are to be used in SSL exemptions and should not be used as source or destination addresses in policies. I can't be the first person to have this as a requirement. Is there a good workaround?
I think I noticed tat newer firmware versions have this ability but I was trying to wait until the 6.2 and 6.4 versions became more mature but before upgrading.
Yes, that's the "right" way. When I opened a TAC case about this a couple years ago it was explained to me that this was simply impossible, which made sense to me, so I'm extremely curious (and somewhat dubious) about how they're accomplishing this post 6.2 (I did test on my 6.4.2 env and it seems to work).
The point being made to me when TAC said it was impossible was, how can I, a humble user/network possibly find all subdomains of a domain? I can't query for every word/non-word in the English language and most domains don't allow a zone transfer, soo...how could it even be done?
The "address" is the layer 3/IP address part of the packet, so any domain has to be translated to the IP to determine if it should match, so you have to know what to look up. That's totally different than when you're using a wildcard to inspect the SSL or HTTP headers for a web filter, which is why wildcard FQDNs could be used in that context. So I am sitting here, still confused...if anyone can explain that would be great.
Your correct that would not be feasible and at worst you would tack the firewall in trying to multiple populate A records in the local dns-cache, eating memory and cpu.
next, if you tried to be creative and place a wildcard that will net you nothing; since the firewall would think you are looking for a A record with the name asterisk in it
set uuid 7dd39438-0fc2-51eb-94dd-2343bd0f9186
set type fqdn
set fqdn "*.hp.com"
The local-dns cache can be reviewed via cli-cmd "diag firewall fqdn list" fwiw and to validate fqdn resolution. If you really need to use a wildcard, you would need to build a fqdn list or something and apply that into the rule.
So if a trusted vendor asks us to whitelist *.domain.com and does not provide the non-wildcard FQDN addresses, and the firewall FortiOS does not support wildcard FQDN names in IPv4 policies, is there a workaround?
It depends on what you take "whitelist" to mean. I take it to mean "don't block me in your web filters or spam filters" and that's easy enough to do. I would assume you have a general rule allowing at least HTTP/HTTPS traffic to all addresses, and maybe a web filter profile attached to that. Whitelist them in that web filter, but it's not like you'd be crafting a special policy to allow XYZ ports to any and all hosts on some domain (or vice versa).
Any application that requires special ports open should be able to provide a list of IPs or FQDNs that the application reaches out to. If not, well....you have to open it to all hosts or monitor the traffic and figure out what it's doing for them -- because that is the network guy's job...to know how everything else works *sigh*
Also if the sites are to be whitelist the vendor probably can provide a list of the domains hostnames. I'm working with a hosting provider that provide us the syntax of the hosted webserver even thought 50% of them are not up. So we have a FQDN list
And I built a fqdn address objects that we push to the fortigate for all 1000 seq# 000-999, so if they add any server with that name, it's allowed and I do not have to go back and touch the policy.
FWIW I do not know of one firewall vendor that allows a wildcard dns-name ( FTNT JNPR CHKP PANW etc....) They use address-list, or webfilter rules for example.