- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Firewall Address - Edit CLI differs from GUI Confi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firewall Address - Edit CLI differs from GUI Config
Please see attached. Running version 5.4.5. I have a firewall FQDN configured. I was able to edit a few by right click and choosing "Edit in CLI" (I needed to add the "set cache-ttl" setting). Then I noticed that when I clicked on one that was configured as fqdn, it popped up as "set type ipmask". See attached image. Might want to fix this Fortinet.
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe you're hitting the 32 character limit Fortinet has for FQDN?
Don't know for sure, but their central SNAT limits FQDN's to 32 characters (per http://help.fortinet.com/fgt/54/max-values/5-4-4/max-values.html) anyway...
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unless my eyes are bad or going bad, that a new object and not a FQDN. What's exactly the issue?
FWIW: a new object is always a ipmask untill you change the type to fqdn.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe I'm doing something wrong, but I'm clicking on an existing firewall address definition and choosing "Edit in CLI". Notice how it is already named and with a UUID. But the UUID does not match what is obtained via the SSH Putty session. Also I note it is truncating the .com in the domain name in the GUI Console view. See the two following screenshots.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe you're hitting the 32 character limit Fortinet has for FQDN?
Don't know for sure, but their central SNAT limits FQDN's to 32 characters (per http://help.fortinet.com/fgt/54/max-values/5-4-4/max-values.html) anyway...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possible. It does look like it is truncating it. The root of this issue is we are trying to whitelist a bunch of oracle hosts. Defining them initially did not work because they use Akamai to load balance across a variety of IPs. Setting the cache-ttl to 5 minutes appears to refresh often enough that they are no longer missing the policies we have defined based on IP rotation. Also I find it interesting when I hover the mouse over the definitions in the Address window, it now shows the entries with two IPs each, which is a nice feature. At least it is working now. I'm going to be more careful about using the Edit in CLI feature going forward, although up to now it has worked well for any settings when I had occasion to use it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That chart is great by the way. Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beadvise the cache-ttl does not refresh from the authoritative server
e.g
MYFGT (root) # diag firewall fqdn list
List all FQDN:
abcdefghijklmnopqrstuvz1234567890111213141561718191020110101010.socpuppets.com: ID(146) REF(1) ADDR(1.1.1.1)
That entry has been changed at the authoritative NS to 1.1.1.12 and the the address book has the following;
config firewall address
edit "TEST"
set uuid 0cbd44dc-a54a-51e7-74a2-5b20d11921bc
set type fqdn
set fqdn "abcdefghijklmnopqrstuvz1234567890111213141561718191020110101010.socpuppets.com"
set cache-ttl 10
next
end
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure I understand. My understanding is the Gate keeps a DNS cache in memory related to defined addresses. The cache-ttl setting instructs it to refresh those specific entries after the defined period of time. Seems to be working now that I configured it that way.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Transparent VLAN between Fortigate port and... 121 Views
- FortiGate drops traceroute UDP 153 Views
- How can I provide a different... 166 Views
- Fortigate100F -- Does a VLAN Switch... 212 Views
- Fortigate Firewall BGP received routes not... 495 Views
Labels
-
FortiGate
7,172 -
FortiClient
1,416 -
5.2
801 -
5.4
639 -
FortiManager
622 -
FortiAnalyzer
457 -
6.0
416 -
FortiAP
376 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
108 -
SSL-VPN
105 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
21 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
SSL SSH inspection
11 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1067 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.