I was hoping that 10 years later Fortinet eventually managed to pull off the logical URL access with wildcards
So was really excited about 6.2.2. Upgraded today (it did actually fixed constantly broken SSL connections), but the URL wildcard seems to not work
All I need is a bunch of URLs that I allow all users to access, big or small, authenticated or not. Just everybody that hits the firewall.
One being ie *.abtutor.com
Simple rule from Lan to Internet, source any, destination this very FDQN address
Logged on workstation as local user (hence no SSO to kick in), expoected to be nicely presented with AB Tutor site
Instead all I got is Fortigate login page!
Anybody had any luck?
Seb
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
The wildcard is working for me. This is something to do with DNS resolving as per docummentation:
When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.
I have a FortiGate in mode that the FortiGate provides DNS for clients on its local interfaces.
Unfortunately this feature is not docummented as it should be. Should the FGT be the source DNS for the clients or the clients can access external DNS server directly and the FGT will update is FQDN table according to the DNS server response? How many IP addresses can be in the buffer (cached) for one wildcard FQDN?
Why Fortinet does not give all the information about the features? ... and not only about the features.
It is very hard to get some more detailed information about anything.
If you want to see something like FortiGate 6.2.2 admin guide or handbook you will not find it. Only cookbook for 6.2.0. Why the admin guide/handbook does not exists anymore?
Where is the 6.2.2 cookbook containing information about the wildcard policy object?
Check the last Handbook for 6.0.6 FortiOS version. Very nice Hadbook where you can find information about the firewall objects.
Nobody wants the handbook anymore?
I cannot see the 6.2.2 handbook if some exists on the docs.fortinet.com.
This is very sad :(
AtiT
wildcard will never work on firewall policies for other then HTTP traffic (where it will work with a webfilter profile).
think about it
a regular layer 3 request doesn't care about a hostname. it requests an IP address. so there you already have a problem.
now for regular DNS entries (A record, CNAME ...) you can create the FQDN object, which looks up the DNS entry and saves that. so on the layer 3 it still is an IP address which is compared by the FortiGate.
this isnt a perfect solution either, specially when you have DNS entries which differ in regions or use internal DNS which your FortiGate can't reach.
but *.something.org isn't something you can lookup, the wildcard can be every word and possible go down levels i.e. host.domain.domain.something.org. a DNS server isn't going to give you all possible IP addresses when you request *.
so you are stuck here and this will never be possible. they might be able to do some tricks with looking at all DNS requests and actively add those, but that will only work if the fortigate sees the dns request.
wildcards *.something.??? work fine
Ofcourse that is not magic, they are simply dynamic DNS entries
But for simple sites it does work OK
My original query was due to misconfiguartion !
i recently looked again at these new wildcard FQDNs in 6.2.2+ and they did change in a way they can sort of work.
the FortiGate just builds up it own knowledge when it sees certain hostnames. if there is a wildcard FQDN object it will combine the IP addresses it sees in one list.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD46573
still the FortiGate must be able to see these addresses to add them to the list. which means there might be a first ping lost or things wont work if you access based on IP address. it works beter then in the past, but it remains a trick. it is not like the FortiGate knows every IP address for a certain *.domain.ext. it knows a part when it has seen it.
Can anyone detail of how this wildcard is actually working?
Does the Fortigate needs to receive the DNS query from the client, meaning Fortigate needs to act as DNS server for the clients using Firewall WILDCARD entry or is the Fortigate "downloading" the DNS zone from the domain mentioned in the wildcard.
I have read the related KB, but I am not getting it.
Thanks,
Florin.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
i tested this a little in the past. when you add for example *.test.com and then ping name.test.com from the firewall it will be added to a DNS cache entry for *.test.com.
so my expectation is that if you just have the firewall see DNS traffic, dont think the firewall has to be the DNS server, then it will add entries belong to the wildcard fqdn in its cache and allow those.
so it does have to see something first for it to work.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.