Doesn' t work tho, unless you only use external DNS servers. So if you run your own DNS servers internally, which most of us do, the answer is no. Not even with v3.0.

>> Doesn' t work tho, unless you only use external DNS servers. Any technical explanation for this, because I can' t think of any logical reason that would be the case?

Not much of an explantation as to why, but all I got from Fortinet Support: · All DNS requests and responses between clients and DNS servers MUST go through the FortiGate firewall. · The FortiGate firewall is fully operational when the first DNS traffic passes through. Moreover, after a reboot of a FortiGate firewall, all clients must resend their DNS queries. If they do not, the firewall policies with FQDNs will not take effect by interesting traffic. · FQDN resolution relies on external, possibly untrustable DNS servers to provide FQDN to IP mappings. If the DNS request/reply doesn' t go through the FortiGate, FortiGate does not have a record of the source or destination IP. The FQDN firewall policy is supported as the topology below: POS-----internal (FGT)wan1--------DNS Server--------host on the Internet It is per design so the FortiGate firewall maintains a record of all addresses the FQDN resolves to. Just FYI, please refer to release notes section 3.5.2 for FQDN firewall policy design requirement when FortiOS 3.0 is released. Thank you, Fortinet Tech Support My response to them at the time: This is just plain silly if it can' t resolve using INTERNAL dns servers. Forcing the use of an external server only is totally insecure. We certainly aren' t going to move our server external! You really need to rethink your design. If it cannot resolve then it is of no value whatsoever! There is no reason it should only resolve over WAN1. It shouldn' t be that difficult a task to code it to resolve over the Lan port instead. Packet from Lan1 ----> Fortigate generates DNS queries to dns server on Lan1 - (host/destination) ---- Traffic returns with dns responses ---> Fortigate checks response against policy list ---- allow or deny --- Log traffic (incl. dns info) and get next traffic.

Interesting. Delta, have you actually worked with this and found it this to be the behavior firsthand? Even with their explanation (which isn' t entirely clear, imho) it doesn' t seem to make sense that this can' t work with internal DNS servers in many cases. With the exception of internal domains (which will always be resolved internally) requests for external domains are going to end up passing through the FG anyway as they are forwarded from the internal DNS server to external ones for upstream resolution. Unless the FG tracks the requesting client' s address in it' s state table alongside the resolved address rather than just maintaining a DNS cache (which would seem to be a waste of memory and resources).

Yep. I' ve had v3.0 to beta test for a month now, and this is one one of the first things I put in a bug fix request for, only to find out that they don' t really think it' s a " bug" , but have actually designed it incorrectly. One other negative side effect of this is that in addition to not being able to resolve external addresses for policy rules, it' s also not capable of resolving internal workstation addresses, so rules like allow LAN " userpc.domain.com" WAN " update.nai.com" any any won' t work, which means if you use DHCP, (which most of us do, as maintaining static address tables for hundreds of users is too cumbersome) you can' t create granular rules. To me, this kind of defeats the purpose of having the feature in the first place.