Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FQDN Objects & IPv4 Policy
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FQDN Objects & IPv4 Policy
I'm setting up a 100D that will replace our aging firewall, and I'm trying to use the IPv4 policy to allow traffic to FQDNs, specifically LogMeIn.
I'm using the address object below:
[ul]IPv4 Policy below:
[ul]
My issue is that traffic isn't hitting his policy. LogMeIn remains blocked until I change the destination to 'all'. In the forward traffic log I can see the below items being denied:
216.52.x.x (control.app0x-x.logmein.com) - HTTPS - deny
To me this should fall within the above policy. I'm at the stage where I'v stripped all other policy rules just to focus on LogMeIn, to see where I'm going wrong.
I'm thinking it may be due to the way the DNS is resolving. I've also got a number of other LogMeIn FQDN objects that LMI uses (logme.in, etc), but I'm focusing on logmein.com as the above settings should be allowing it. I do not have any UTM features such as Application or Web filtering enabled at this time. There is only 1 host on the lan interface, and it's getting IP/DNS settings from the firewall.
Firmware v5.2.2,build642 (GA).
Any suggestions would be very much appreciated.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
26 REPLIES 26
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response.
This was ultimately what I came to realize, I just didn't think that the update lag of the DNS table would be enough to render the rule ineffective.
The overall purpose for this rule was to allow a set of applications to bypass our proxy server. I'm now wondering how best to approach this policy. It seems the only way to avoid using LogMeIn subnet's in a policy rule is to create a rule to: allow all source, allow all destination, allow HTTP/S traffic. Although I have Application Control & Web Filtering enabled on this rule, it still seems like a VERY open rule to have in the policy.
Perhaps I'm over thinking it, but I'm just wanting to avoid potential security holes due to mis-configuration.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just some info: If you create an FQDN a DNS lookup will be done and you can check it via CLI whether the FQDN is working - the resolved IP address(es) and check wiht the traffic log whether the users are using the same IPs.
The * is not allowed:
LAB_LUX # diagnose firewall fqdn list List all FQDN: logmein.com: ID(88) REF(1) ADDR(77.242.193.199) ADDR(64.94.47.199) ADDR(69.25.21.199) *logmein.com: ID(130) REF(1) *.logmein.com: ID(176) REF(1)
AtiT
AtiT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When looking at a FGT with 5.2.4 we already thought that there might be some changes regarding wildcard support for FQDN address objects: there are several new objects (e.g. "*.dropbox.com" or "*.apple.com") which are preconfigured and referenced in the default SSL inspection profile. At first sight their DNS resolution seems to work:
fgt # diag fire fqdn list List all FQDN: [...]
*.gotomeeting.com: ID(103) REF(1) ADDR(216.115.208.197) [...] *.live.com: ID(117) REF(1) ADDR(65.55.60.123) [...]
*.googleapis.com: ID(239) REF(1) ADDR(74.125.140.95)
However, we checked the FQDNs mentioned above: in all three cases there is either an A or a CNAME record for "*.<domain>", which explains why the FortiGate can resolve these addresses. What we don't understand is why Fortinet explicitly points out in the documentation that for creating inspection exemptions address objects with wildcard character should be created, while in the KB they don't recommend it (because it obviously doesn't work the way you would expect it).
Regards, dave.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been wondering the same thing about wildcard FQDN objects. I posted a few weeks back but nobody responded. It's good to know that I'm not the only one curious:
https://forum.fortinet.com/tm.aspx?m=128436
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My colleague has opened a ticket at Fortinet and has received the following answer:
The use of wildcard FQDN addresses within firewall policies is currently not supported. The FQDN addresses you find within the "config firewall address" section are used for excluding certain DNS domains by default from SSL/TLS deep inspection (see "config firewall ssl-ssh-profile" > "deep-inspection" > "config ssl-exempt"). Due to current design restrictions those addresses had to be put into the "config firewall address" section, but they won't work as expected when used in a firewall policy as source or destination. In the upcoming v5.4 there will be a separate type (wildcard-fqdn) for those address definitions to insure that they can't be selected/used within a firewall policy definition, but only with SSL exemption.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is very interesting! Thanks for posting this. I do wish, however, that upcoming code will avoid submitting those wildcard FQDN addresses to the DNS resolver. According to my observations on 5.2.4, the firewall is constantly trying to resolve the wildcard FQDN objects.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm: in our test setup, the objects are only referenced in the SSL deep inspection profile, which isn't in use. Still we can see that at least some of the wildcard FQDN objects were resolved.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The use of wildcard FQDN addresses within firewall policies is currently STILL not supported on 5.4 That is very annoying !!!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mok wrote:Still not in 5.4.1. This makes the use of WAF impractical, as i need to exclude quite some domains from this filter.The use of wildcard FQDN addresses within firewall policies is currently STILL not supported on 5.4 That is very annoying !!!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for feedback Erwin, I'm really disappointed for that! For me the use of Walled Garden is impractical too.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Have any documents there that describe... 89 Views
- Auto update policy and objects in... 275 Views
- How to Drop known external traffic... 301 Views
- Websites do not work "err_quic_protocol_error" 1182 Views
- VPNSSL Split tunneling using internet services 344 Views
Labels
-
FortiGate
8,403 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.