Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TimB_Unbound
New Contributor

Created on ‎02-02-2017 01:09 PM

Incomplete results from FQDN objects

I'm working on separating out the traffic we send to Office 365 with a dedicated firewall rule so we can change how we handle some of our logging.

To this end I have a new rule at the top of the processing chain going to 'outlook.office365.com'. This kind of works. The problem is that when I use the "outlook.office365.com" FQDN objects I'm only getting a handful of the IP addresses.

If our client computer connect to any of the others not on the list they go down the chain to our general rule. Only a tiny percent of the traffic I'm trying to collect goes out through this rule. 

 

Is there a good way to solve this? 

7712
0 Kudos
4 REPLIES 4
MikePruett
Valued Contributor

Created on ‎02-02-2017 01:46 PM

FQDN is highly unreliable. Mainly because it doesn't look up the IP each time so if rotations occur etc things get wonky.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
3003
0 Kudos
Srujan
New Contributor

Created on ‎02-03-2017 01:11 AM

FQDN objects are reliable, so it is better you check the ip address of the outlook.office365.com and create the object with the ip address

 

use the same ip address object in the policy, but the ip address of the outlook.office365.com changes depends on the region it is better you check the ip adress of the outlook.office365.com weekly once to have the correct reports.

 

-srujan

3003
0 Kudos
TimB_Unbound
New Contributor
In response to Srujan

Created on ‎02-03-2017 01:18 PM

Great getting two totally opposite responses here.. Anyways I side with MikePruett on this one. Generally the FQDN method works perfectly but in cases where there is a large rotation it is definitely failing. 

Did some digging on Microsoft's site and found their "Office 365 URLs and IPs" page which includes their "Exchange Online" IPv4 endpoints. 

https://support.office.co...amp;rs=en-US&ad=US

3003
0 Kudos
AtiT
Valued Contributor
In response to TimB_Unbound

Created on ‎02-04-2017 11:59 AM

Be sure your Fortigate is using the same DNS as the clients.

Also you can play with the cache-ttl settings under the FQDN address object so the "older" IP addresses will timeout later.

 

It could help but I don't know how many IP addresses are possible to cache for one FQDN object.

AtiT

AtiT
3003
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.