Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
martinoles
New Contributor

FQDN behaviour but without wildcard

Hi,

I am a bit puzzled how to correctly setup fw rule, which use DNS object. DNS traffic from servers goes through firewall. Using wildcard FQDN work correctly, for eg. *.fortinet.com.

 

But customer wants to limit access to destination like server1.fortinet.com (only this particular name), and in this case we do observe, that it is firewall gateway, which does dns lookup and then permits this destination. But in our environment, DNS which gateway use is different than servers are using, therefore we do "permit" wrong IP, as destination uses DNS-based Load Balancing.

 

Thank you for any hint.

1 REPLY 1
bpozdena_FTNT

If you don't necessarily have to use FQDN, use regular IP address objects in your firewall policies instead.

 

If the server resolves into too many IP addresses, then you will need to ensure the clients and Fortigate use the same system DNS servers. But even that is not always sufficient, especially with cloud hosted servers.

 

Another option is to use your Fortigate as DNS server for your clients. Just forwarding the client requests to FortiOS system DNS might be sufficient. You can also define your DNS records and TTL on the Fortigate and use it in recursive mode.

 

You will need to find out what option is most suitable for your setup. Ultimately, you just need to ensure that your clients and FortiOS always resolve the same FQDNs into the same IP addresses (within the response TTL).

HTH,
Boris
Labels
Top Kudoed Authors