Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
seadave
Contributor III

Firewall Address - Edit CLI differs from GUI Config

Please see attached.  Running version 5.4.5.  I have a firewall FQDN configured.  I was able to edit a few by right click and choosing "Edit in CLI" (I needed to add the "set cache-ttl" setting).  Then I noticed that when I clicked on one that was configured as fqdn, it popped up as "set type ipmask".  See attached image.  Might want to fix this Fortinet.

1 Solution
tanr
Valued Contributor II

Maybe you're hitting the 32 character limit Fortinet has for FQDN? 

Don't know for sure, but their central SNAT limits FQDN's to 32 characters (per http://help.fortinet.com/fgt/54/max-values/5-4-4/max-values.html) anyway...

View solution in original post

8 REPLIES 8
emnoc
Esteemed Contributor III

Unless my  eyes are bad or going bad,  that a new object and not a FQDN. What's exactly the issue?

 

FWIW: a new object is always a ipmask untill you change the type to fqdn.

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
seadave
Contributor III

Maybe I'm doing something wrong, but I'm clicking on an existing firewall address definition and choosing "Edit in CLI".  Notice how it is already named and with a UUID.  But the UUID does not match what is obtained via the SSH Putty session.  Also I note it is truncating the .com in the domain name in the GUI Console view.  See the two following screenshots.

seadave

Via SSH session.

tanr
Valued Contributor II

Maybe you're hitting the 32 character limit Fortinet has for FQDN? 

Don't know for sure, but their central SNAT limits FQDN's to 32 characters (per http://help.fortinet.com/fgt/54/max-values/5-4-4/max-values.html) anyway...

seadave
Contributor III

Possible.  It does look like it is truncating it.  The root of this issue is we are trying to whitelist a bunch of oracle hosts.  Defining them initially did not work because they use Akamai to load balance across a variety of IPs.  Setting the cache-ttl to 5 minutes appears to refresh often enough that they are no longer missing the policies we have defined based on IP rotation.  Also I find it interesting when I hover the mouse over the definitions in the Address window, it now shows the entries with two IPs each, which is a nice feature.  At least it is working now.  I'm going to be more careful about using the Edit in CLI feature going forward, although up to now it has worked well for any settings when I had occasion to use it.

seadave

That chart is great by the way.  Thanks!

 

emnoc
Esteemed Contributor III

Beadvise the  cache-ttl does not refresh from the authoritative  server 

 

e.g 

 

 MYFGT (root) # diag firewall  fqdn list

List all FQDN:

abcdefghijklmnopqrstuvz1234567890111213141561718191020110101010.socpuppets.com: ID(146) REF(1) ADDR(1.1.1.1)

 

 

That  entry has been changed at the authoritative NS  to 1.1.1.12  and the the address book has the following;

 

config firewall address

    edit "TEST"

        set uuid 0cbd44dc-a54a-51e7-74a2-5b20d11921bc

        set type fqdn

        set fqdn "abcdefghijklmnopqrstuvz1234567890111213141561718191020110101010.socpuppets.com"

        set cache-ttl 10

    next

end

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
seadave
Contributor III

Not sure I understand.  My understanding is the Gate keeps a DNS cache in memory related to defined addresses.  The cache-ttl setting instructs it to refresh those specific entries after the defined period of time.  Seems to be working now that I configured it that way.

Labels
Top Kudoed Authors