Hello team,
I wanted to know what is the best method to manage fqdn to be blacklisted. Basically, is it better to use an ad hoc web filter profile or to create fqnd groups with wildcards?
My goal is to block specific fqdn for everyone globally.
Thanks for the support
BR
Solved! Go to Solution.
Hello
Enable All traffic log in the related policy, then check in the traffic log. You should find there traffic log witch client IP as source, DNS server IP as destination, and DNS as protocol/service.
Hello
When using FQDN address with wildcard you have to know that FortiGate must see the DNS requests of your clients, otherwise it can't associate a FQDN with an IP. This is because an address such "*.domain.com" is not resolved until you replace the "*" with a subdomain. Also your clients must use clear DNS, not encrypted.
Hello AEK,
"FortiGate must see the DNS requests of your clients", I do this with a policy?
BR
After creating a Wildcard FQDN, it will show an Unresolved FQDN when hovered. I have generated traffic from client with nslookup but fqdn on the firewall remain unresolved.
Thanks
BR
Created on 12-21-2023 12:46 AM Edited on 12-21-2023 01:03 AM
Hi Luca
Yes, FGT must see DNS traffic in order to resolve wildcard FQDN address. No special policy required for this.
But in case your web browser uses SSL DNS then it will not work.
Try this to understand better:
Thank yuo AEK.
Create policy to deny *.drpbox.com
From CLI try ping the "IP" of www.dropbox.com from my internal host without using fqdn and then I ping www.dropbox.com by FQDN
The ping will be NOT blocked because FGT show unresolved again.
Help please. I have search on google but workaround not function.
Many thanks
I guess your DNS traffic doesn't transit through the FortiGate.
Created on 12-21-2023 02:21 AM Edited on 12-21-2023 02:23 AM
in fact now that I think about it the dns servers have a different gateway from the client I am using to do the tests. I need to have the fortigate see the DNS traffic by going to make a rule on the gateway of the dns server that allows dns traffic to pass through to the fortigate, correct? I have to make the rule at the contratio as well, from the fortigate true the DNS servers?
Thanks for the support
BR
Now I have a test client that has this network configuration:
IP: 192.168.x.x/24
GW: ip address of a Fortigate firewall interface.
DNS: in another vlan whose gateway of this vlan is not the Fortigate firewall. In addition, an mpls circuit is traversed to reach this vlan.
In this scenario I have the problem "unresolved FQDN"
I thank you so much for the support.
BR
does anyone have any suggestions ?
Thanks
BR
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1771 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.