Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Morus
New Contributor II

Created on ‎06-16-2025 08:56 AM

FQDN Wildcard Object

Hi!

So i'm facing a strange issue with wildcard address object (FQDN).

If i configure the object as *.learn.microsoft.com i cannot reach anything from my client, not even the "microsoft.com" domain.

If i configure it as *.microsoft.com i can reach the website and all the subdomain (lean.microsoft.com included).

i've already configured the "config system session-helper" for DNS traffic. If i run "diag test application dnsproxy 6" looks like my FGT cannot resolve the subdomain:

Immagine 2025-06-16 175348.png

 

I found this old technical tip where its says that wildcard FQDN should not be used in firewall policies.

Any suggestion?

Labels:
230
0 Kudos
1 REPLY 1
AEK
SuperUser
SuperUser

Created on ‎06-16-2025 12:34 PM

Hi Morus

I agree that wildcard address object should not be used, or at least should be used with caution. Windcard are not resolved by FG until a host tries resolve the address using a clear DNS query. But today's browsers usually send DNS query over TLS or HTTPS, so FG can't see the result (except probably if you use deep inspection).

Try use the wildcard it in a Web Filter instead.

AEK
AEK
190
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.