Using FortiOS 6.0.9. Need to run backups to a cloud server destination (*.domain.com). Was going to add an IPv4 policy with this address as the destination to exempt this traffic from normal antivirus, web filtering, DNS, etc. evaluation. I see that there is a Wildcard FQDN Address list. I created the address in this section but I can not list this address as the destination in the policy. I see that Wildcard FQDN Addresses are to be used in SSL exemptions and should not be used as source or destination addresses in policies. I can't be the first person to have this as a requirement. Is there a good workaround?
I think I noticed tat newer firmware versions have this ability but I was trying to wait until the 6.2 and 6.4 versions became more mature but before upgrading.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As far as I remember (but I might be wrong here) this is not supported in 6.0 but was implementert with 6.2. But you might have to take a look at the 6.2 release notes as I am not 100% sure.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
As far as I remember (but I might be wrong here) this is not supported in 6.0 but was implementert with 6.2. But you might have to take a look at the 6.2 release notes as I am not 100% sure.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks! What was the best way to handle this pre FortiOS 6.2? Was it necessary to specify FQDN without using wildcards?
Instead of:
*.domain.com
This might involve:
www.domain.com
domain.com
ftp.domain.com
server.domain.com
Yes, that's the "right" way. When I opened a TAC case about this a couple years ago it was explained to me that this was simply impossible, which made sense to me, so I'm extremely curious (and somewhat dubious) about how they're accomplishing this post 6.2 (I did test on my 6.4.2 env and it seems to work).
The point being made to me when TAC said it was impossible was, how can I, a humble user/network possibly find all subdomains of a domain? I can't query for every word/non-word in the English language and most domains don't allow a zone transfer, soo...how could it even be done?
The "address" is the layer 3/IP address part of the packet, so any domain has to be translated to the IP to determine if it should match, so you have to know what to look up. That's totally different than when you're using a wildcard to inspect the SSL or HTTP headers for a web filter, which is why wildcard FQDNs could be used in that context. So I am sitting here, still confused...if anyone can explain that would be great.
Lobstercreed
Your correct that would not be feasible and at worst you would tack the firewall in trying to multiple populate A records in the local dns-cache, eating memory and cpu.
next, if you tried to be creative and place a wildcard that will net you nothing; since the firewall would think you are looking for a A record with the name asterisk in it
e.g
edit "widlcard-hp.com" set uuid 7dd39438-0fc2-51eb-94dd-2343bd0f9186 set type fqdn set fqdn "*.hp.com" next
The local-dns cache can be reviewed via cli-cmd "diag firewall fqdn list" fwiw and to validate fqdn resolution. If you really need to use a wildcard, you would need to build a fqdn list or something and apply that into the rule.
just my 2cts thoughts and observations
Ken Felix
PCNSE
NSE
StrongSwan
It depends on what you take "whitelist" to mean. I take it to mean "don't block me in your web filters or spam filters" and that's easy enough to do. I would assume you have a general rule allowing at least HTTP/HTTPS traffic to all addresses, and maybe a web filter profile attached to that. Whitelist them in that web filter, but it's not like you'd be crafting a special policy to allow XYZ ports to any and all hosts on some domain (or vice versa).
Any application that requires special ports open should be able to provide a list of IPs or FQDNs that the application reaches out to. If not, well....you have to open it to all hosts or monitor the traffic and figure out what it's doing for them -- because that is the network guy's job...to know how everything else works *sigh*
Agreed
Also if the sites are to be whitelist the vendor probably can provide a list of the domains hostnames. I'm working with a hosting provider that provide us the syntax of the hosted webserver even thought 50% of them are not up. So we have a FQDN list
web{XXX}.customerdomain.com
And I built a fqdn address objects that we push to the fortigate for all 1000 seq# 000-999, so if they add any server with that name, it's allowed and I do not have to go back and touch the policy.
FWIW I do not know of one firewall vendor that allows a wildcard dns-name ( FTNT JNPR CHKP PANW etc....) They use address-list, or webfilter rules for example.
Ken Felix
PCNSE
NSE
StrongSwan
Thanks everyone! I finally got the list of FQDN's so that the wildcard should not be necessary.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.