Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
heyyo
Contributor

Firewall Policy - FQDN vs Internet Service

An example policy is configured as below:
With same source address, but different destination address - top is FQDN, bottom is Internet Service

 

Example:

Policy Order # 1:
set srcintf "port4"
set dstintf "port2"
set srcaddr "group"
set dstaddr "*.google.com"

 

Policy Order #2:
set srcintf "port4"
set dstintf "port2"
set srcaddr "group"
set internet-service enable
set internet-service-name "Google_InternetService"

 

The traffic is passing through bottom policy #2 if I visit an IP which resolves to a *.google.com, even if there is Policy Order # 1.
Why is that so?

 

1 REPLY 1
ekrishnan
Staff
Staff

Hello,

 

Based on the query I believe the second policy with ISDB gets the hit because these are predefined services in the ISDB. 

 

whereas 

For wildcard FQDN addresses to work, the FortiGate should allow DNS traffic to pass through.

Initially, the wildcard FQDN object is empty and contains no addresses. When the client tries to resolve a FQDN address, the FortiGate will analyze the DNS response. The IP addresses contained in the answer section of the DNS response will be added to the corresponding wildcard FQDN object.

 

>>You can test out again by checking if the wildcard address being used has resolved to IPs and shows the list, 

 

# diagnose firewall fqdn list

# diagnose firewall iprope list 100004 --->use this command to check the IP which has resolved for the *google.com and it has the list on it

Cross check using this details on the forward traffic logs for the traffic and verify if the iprope list and fqdn list has the IP in it

Regards
Elangkajan K
EK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors