- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FQDN Objects & IPv4 Policy
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FQDN Objects & IPv4 Policy
I'm setting up a 100D that will replace our aging firewall, and I'm trying to use the IPv4 policy to allow traffic to FQDNs, specifically LogMeIn.
I'm using the address object below:
[ul]IPv4 Policy below:
[ul]
My issue is that traffic isn't hitting his policy. LogMeIn remains blocked until I change the destination to 'all'. In the forward traffic log I can see the below items being denied:
216.52.x.x (control.app0x-x.logmein.com) - HTTPS - deny
To me this should fall within the above policy. I'm at the stage where I'v stripped all other policy rules just to focus on LogMeIn, to see where I'm going wrong.
I'm thinking it may be due to the way the DNS is resolving. I've also got a number of other LogMeIn FQDN objects that LMI uses (logme.in, etc), but I'm focusing on logmein.com as the above settings should be allowing it. I do not have any UTM features such as Application or Web filtering enabled at this time. There is only 1 host on the lan interface, and it's getting IP/DNS settings from the firewall.
Firmware v5.2.2,build642 (GA).
Any suggestions would be very much appreciated.
- « Previous
- Next »
26 REPLIES 26
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah wildcard FQDN on 5.4.1 is no bueno so far. Major bummer too.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MikePruett wrote:Yeah wildcard FQDN on 5.4.1 is no bueno so far. Major bummer too.
Not being able to use them in policies is a hinderance. I created an address group that contains both FQDN and Wildcard FQDN entries and even it is not visible for use by a firewall policy.
I've discovered that Wildcard FQDN is available for SSL Inspection profiles. Haven't had a chance yet to test on other security profile types.
A quick search of the docs doesn't reveal any restrictions on the use of Wildcard FQDN, but the same instruction on creating a Wildcard FQDN is available in both the Firewall Handbook for FortiOS 5.4.1 and FortiOS Handbook for FortiOS 5.4.1. You'd think that if it was in the Firewall Handbook for FortiOS 5.4.1, that it would be available for use in the firewall.
I'm asking support and other resources for information on when we can expect the use of Wildcard FQDN to be available in policies.
Norris Carden
Fortinet XTreme Team USA (2015, 2016)
CISSP (2005), CISA (2007), NSE4 (2016)
Norris Carden
Fortinet XTreme Team USA (2015, 2016)
CISSP (2005), CISA (2007), NSE4 (2016)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any news of this ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is absolutely tragic!
How in 2018 I can not use wildcard FDQN in exceptions is beyond me!
I need to DNS whitelist *.msappproxy.net for use with Azure Active Directory Seamless Single Sign-On
I really do not need hundreds of lines of IP address ranges (it is difficult to maintain and even creat in first place, as there is not batch faility)
Shame on you Fortinet with your lazy coders!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Someone knows if it's possible use wilcard FQDN in policies with FortiOS 5.6?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do like this
It works fine, I use it all the time when I need to exempt some domain (for whatever reason)
edit:
It does NOT work. Such policy allows EVERYTHING OUT. The above blog is plain wrong or the guy tested on some version of FortiOS that behaved different
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scerazy, I've just tried that approach on a FW60E with 6.0.1 and it worked fine for me. I took this approach:
[ol]
It was a basic pretty quick test, but it proved to me that it's a workable solution. My biggest pain-point is a large customer deployment where their Skype for Business servers need to talk to a gazillion Microsoft Office365 hosts, and people have deployed various wildcard FQDNs in various firewall rules believing that it works (but it doesn't, as we've all discovered in this forum!) - I have implemented a rule based on a gazillion address objects representing all the known Microsoft datacentre IP ranges for the regions in use by us (Australia East & SouthEast) which gets it working, but as Microsoft likes to reallocate their IP address ranges globally on a regular basis, it's risky and needs to be kept up to date. I'm investigating webfilters as a way around that. But what I'm curious about is whether webfilters work with applications that aren't web browsers (e.g. Skype for Business talking to an O365 server on port 443). Is the Webfilter feature just a dynamically-updated IP address filter, or does it inspect traffic more than that, expecting to see http browser headers etc? (in other words, if I was to try to push another protocol like RDP over tcp/443, would the webfilter approach still work?)
- « Previous
- Next »
Related Posts
- Import MAC address list into address... 124 Views
- Ran a script to create IP... 96 Views
- Simple explanation enabling the LOGGING of... 216 Views
- ZTNA not working. Help please. 306 Views
- Connecting Two SIP Trunks with Different... 283 Views
Labels
-
FortiGate
6,542 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
70 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
FortiAuthenticator
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.