Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JonasV
New Contributor III

Allowing public FQDN address (from WAN) to internal resources

Hi
We often use FQDN address object to allow traffic from LAN site to external resources.
But how about an external resource as an FQDN (multiple dynamic public address covered, as it is a cloud service).
Does it work, if we create a policy, with a VIP as destination, where the source is a FQDN object?

I can't find any official documentation for this a first draft

Kind regards
Kind regards
3 REPLIES 3
bmiranda
Staff
Staff

Yes this is possible.

The only thing you need to careful with is that the FortiGate needs to be able to correctly translate the FQDN. This is through the DNS configuration in the settings.

gfleming
Staff
Staff

You might want to consider leveraging the ISDB if your cloud service is listed there. This will ensure all IP addresses and FQDNs associated with the service are captured.

 

Using FQDN resolution alone can sometime not catch all IP addresses associated with the service especially if they are doing a lot of round-robin type stuff. Sometime they can have many IPs listed but DNS resolvers may only resolve a few of them at a time.

Cheers,
Graham
JonasV
New Contributor III

You are right.
However in this case, the source Cloud resource is a custom build network-service. It's only that specific web resource that should be allowed access, and not the entire public cloud platform. 
That's why I'd have to go with the FQDN address object as source. 

And it's exactly the issue you are describing that I'm worries about.

Kind regards
Kind regards
Top Kudoed Authors