Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Any luck with wildcard * from 6.2.2

I was hoping that 10 years later Fortinet eventually managed to pull off the logical URL access with wildcards

So was really excited about 6.2.2. Upgraded today (it did actually fixed constantly broken SSL connections), but the URL wildcard seems to not work


All I need is a bunch of URLs that I allow all users to access, big or small, authenticated or not. Just everybody that hits the firewall.

One being ie *

Simple rule from Lan to Internet, source any, destination this very FDQN address


Logged on workstation as local user (hence no SSO to kick in), expoected to be nicely presented with AB Tutor site

Instead all I got is Fortigate login page!


Anybody had any luck?



Valued Contributor


The wildcard is working for me. This is something to do with DNS resolving as per docummentation:

When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.


I have a FortiGate in mode that the FortiGate provides DNS for clients on its local interfaces.

Unfortunately this feature is not docummented as it should be. Should the FGT be the source DNS for the clients or the clients can access external DNS server directly and the FGT will update is FQDN table according to the DNS server response? How many IP addresses can be in the buffer (cached) for one wildcard FQDN?

Why Fortinet does not give all the information about the features? ... and not only about the features.

It is very hard to get some more detailed information about anything.


If you want to see something like FortiGate 6.2.2 admin guide or handbook you will not find it. Only cookbook for 6.2.0. Why the admin guide/handbook does not exists anymore?

Where is the 6.2.2 cookbook containing information about the wildcard policy object?


Check the last Handbook for 6.0.6 FortiOS version. Very nice Hadbook where you can find information about the firewall objects.

Nobody wants the handbook anymore?

I cannot see the 6.2.2 handbook if some exists on the


This is very sad :(



Valued Contributor

wildcard will never work on firewall policies for other then HTTP traffic (where it will work with a webfilter profile).


think about it


a regular layer 3 request doesn't care about a hostname. it requests an IP address. so there you already have a problem.


now for regular DNS entries (A record, CNAME ...) you can create the FQDN object, which looks up the DNS entry and saves that. so on the layer 3 it still is an IP address which is compared by the FortiGate.


this isnt a perfect solution either, specially when you have DNS entries which differ in regions or use internal DNS which your FortiGate can't reach.


but * isn't something you can lookup, the wildcard can be every word and possible go down levels i.e. a DNS server isn't going to give you all possible IP addresses when you request *.


so you are stuck here and this will never be possible. they might be able to do some tricks with looking at all DNS requests and actively add those, but that will only work if the fortigate sees the dns request.

New Contributor III

wildcards *.something.??? work fine

Ofcourse that is not magic, they are simply dynamic DNS entries


But for simple sites it does work OK


My original query was due to misconfiguartion !

Valued Contributor

i recently looked again at these new wildcard FQDNs in 6.2.2+ and they did change in a way they can sort of work.


the FortiGate just builds up it own knowledge when it sees certain hostnames. if there is a wildcard FQDN object it will combine the IP addresses it sees in one list.


still the FortiGate must be able to see these addresses to add them to the list. which means there might be a first ping lost or things wont work if you access based on IP address. it works beter then in the past, but it remains a trick. it is not like the FortiGate knows every IP address for a certain *.domain.ext. it knows a part when it has seen it.


New Contributor II

Can anyone detail of how this wildcard is actually working?

Does the Fortigate needs to receive the DNS query from the client, meaning Fortigate needs to act as DNS server for the clients using Firewall WILDCARD entry or is the Fortigate "downloading" the DNS zone from the domain mentioned in the wildcard.


I have read the related KB, but I am not getting it.




The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Valued Contributor

i tested this a little in the past. when you add for example * and then ping from the firewall it will be added to a DNS cache entry for *


so my expectation is that if you just have the firewall see DNS traffic, dont think the firewall has to be the DNS server, then it will add entries belong to the wildcard fqdn in its cache and allow those.


so it does have to see something first for it to work.

Top Kudoed Authors