FTG no matter what firmware version does not allow wildcard
This DNS entry resolves to a server farm *.c-msedge.net
And I need unrestricted access from any device on the network no matter what user web policies are
Any ideas?
Seb
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Why not use FQDN? That should do it.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Does it?
If it does then great
You tell me/us. Select that in the policy instead of IP address/subnet and let us know.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Seems to work. Now if could only do the same with wildcard *.somednsname.com
Seb
with firewall policies, you have to use FQDN. Wildcard FQDN objects are for use in security profiles. In your webfilter, enable URL filters and create an entry of type Wildcard and enter the URL (i.e. *.abcdomain.com). You can set the action to either exempt or allow. Make sure the status of the entry is enabled (default).
HTH
d
you can use wildcards on a FGT. However you cannot use them in web rating overrides, that's officially not supported TAC told me once.
What you can do is use the url filter instead for it does support wildcards AND exempt.
Url-filter matches before rating overrides. So just inside your webfilter profile enable the url filter and create a rule for *.somednsname.com EXEMPT and it should work.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
That does NOT work as one would expect. ALL traffic goes out via such rule.
Totally idiotic!
Spend hours with L2 technician.
Simply unsupported (use wildcards in a way one most wants - unrestricted access from non authenticated machine(s) to *.something.net) in current FortiOS
edit
See post below (it need last URL *.* Block to work correctly)
Your configuration or approach is most likely wrong. This works for numerous clients and installations I have deployed. See this link for an explanation on wildcard FQDN and why you can't use them in the destination:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD35297
Use the URL filter within the Web Filter profile to make exceptions. I use this method all the time for machines that a client wants to restrict to a very specific set of URLs. You don't have to use categories, just enable URL filter and enter the list of allowed sites and at the end use a wildcard of *.* with an action of block. Very useful for servers that are required to reach out to public resources without exposing them to the rest of the Internet.
OK, it was me, missed the last URL of *.* Block
That makes sense & it should work. In which case Fortinet support is as dumb as many times previously
Seb
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.