Please see attached. Running version 5.4.5. I have a firewall FQDN configured. I was able to edit a few by right click and choosing "Edit in CLI" (I needed to add the "set cache-ttl" setting). Then I noticed that when I clicked on one that was configured as fqdn, it popped up as "set type ipmask". See attached image. Might want to fix this Fortinet.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Maybe you're hitting the 32 character limit Fortinet has for FQDN?
Don't know for sure, but their central SNAT limits FQDN's to 32 characters (per http://help.fortinet.com/fgt/54/max-values/5-4-4/max-values.html) anyway...
Unless my eyes are bad or going bad, that a new object and not a FQDN. What's exactly the issue?
FWIW: a new object is always a ipmask untill you change the type to fqdn.
Ken
PCNSE
NSE
StrongSwan
Maybe I'm doing something wrong, but I'm clicking on an existing firewall address definition and choosing "Edit in CLI". Notice how it is already named and with a UUID. But the UUID does not match what is obtained via the SSH Putty session. Also I note it is truncating the .com in the domain name in the GUI Console view. See the two following screenshots.
Maybe you're hitting the 32 character limit Fortinet has for FQDN?
Don't know for sure, but their central SNAT limits FQDN's to 32 characters (per http://help.fortinet.com/fgt/54/max-values/5-4-4/max-values.html) anyway...
Possible. It does look like it is truncating it. The root of this issue is we are trying to whitelist a bunch of oracle hosts. Defining them initially did not work because they use Akamai to load balance across a variety of IPs. Setting the cache-ttl to 5 minutes appears to refresh often enough that they are no longer missing the policies we have defined based on IP rotation. Also I find it interesting when I hover the mouse over the definitions in the Address window, it now shows the entries with two IPs each, which is a nice feature. At least it is working now. I'm going to be more careful about using the Edit in CLI feature going forward, although up to now it has worked well for any settings when I had occasion to use it.
That chart is great by the way. Thanks!
Beadvise the cache-ttl does not refresh from the authoritative server
e.g
MYFGT (root) # diag firewall fqdn list
List all FQDN:
abcdefghijklmnopqrstuvz1234567890111213141561718191020110101010.socpuppets.com: ID(146) REF(1) ADDR(1.1.1.1)
That entry has been changed at the authoritative NS to 1.1.1.12 and the the address book has the following;
config firewall address
edit "TEST"
set uuid 0cbd44dc-a54a-51e7-74a2-5b20d11921bc
set type fqdn
set fqdn "abcdefghijklmnopqrstuvz1234567890111213141561718191020110101010.socpuppets.com"
set cache-ttl 10
next
end
PCNSE
NSE
StrongSwan
Not sure I understand. My understanding is the Gate keeps a DNS cache in memory related to defined addresses. The cache-ttl setting instructs it to refresh those specific entries after the defined period of time. Seems to be working now that I configured it that way.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.