We have a scenario where we need to proxy filter 40+ particular PCs that roam between 14 subnets. These DHCP devices get replaced with frequency, but their naming convention always remains the same (e.g., Site-Purpose#.domain).
Rather than creating 560 potential DHCP reservations for these clients and statically mapping them to an address in our 100F (that would need to be updated with every device replacement), we created a wildcard FQDN address of *-Purpose*.domain and added it to the proxy firewall policy. From the 100F, I can ping each of these devices and their names resolve and filtering gets applied, however once the TTL expires (and the DHCP lease expires, or the device has roamed) the address no longer resolves.
My understanding/conclusion is that unless something is requesting that resource (such as PING from the unit itself) the FG will not attempt to resolve it. Is there a means to configure outright automatic resolution of FQDN addresses from the FG when the TTL expires? I created script for connecting via-SSH session to the FG to ping the devices, which worked, but I am apprehensive to scripting SSH Sessions or using any scheduled task scripting as it isn't always reliable in my experience - especially if a better method exists as part of FortiOS.
Any suggestions would be most welcome!
Thank you in advance!
Hi jamolloy,
Normally when you use Wildcard FQDN in Firewall address object, They are updated when a DNS query is made from a host connected to FortiGate (DNS traffic passing through a FortiGate.).
If the query matches the wildcard FQDN, the IP address is added to the cache for that object on the FortiGate.
In your case you are using Wildcard FQDN Address objects for your internal System and hence there is no way FortiGate will see the DNS request to these FQDN until and unless you resolve it locally on FortiGate or your DNS query for these FQDN passes through FortiGate Firewall when some other internal System queries this.
To automate this without above option, as you mentioned you need to rely on scripting. I will check internally if there is any other option available and update here.
Best Regards,
Thank you for looking into this for us, I look forward to hearing back your findings.
Best,
-Joe
The key point here is that the DNS requests need to go through the FortiGate. It needs to learn the wildcard entries' IPs from the DNS traffic. If DNS goes through a different route, it won't be aware that 1.2.3.4 matches *.mywildcard.com.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1113 | |
759 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.