Now I have a test client that has this network configuration:
IP: 192.168.x.x/24
GW: ip address of a Fortigate firewall interface.
DNS: in another vlan whose gateway of this vlan is not the Fortigate firewall. In addition, an mpls circuit is traversed to reach this vlan.
In this scenario I have the problem "unresolved FQDN"
I thank you so much for the support.
BR
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello luca1994,
The wildcard FQDN is updated when a DNS query is made from a host connected to FortiGate (DNS traffic passing through a FortiGate).
If the query matches the wildcard FQDN, the IP address is added to the cache for that object on the FortiGate.
The DNS query (from client to DNS server on other vlan) passes through FGT. FGT will update the cache.
Hi @luca1994
In this scenario, I would recommend to check on the following:
1. Is the connectivity between FortiGate to your DNS server made possible? You can check with running the following command to check on your FortiGate:
exec ping <DNS IP>
exec ping <any fqdn> --> this is to check DNS resolution
2. On your client, run the same ping test for DNS IP and FQDN.
The above is to verify if the routing and firewall policy are correctly defined in your FortiGate.
If the above test is correct, and the client can access to the FQDN without issue, but you are still seeing "unresolved FQDN" message in FortiGate, I'd suggest that you take a look in the following article to verify if you are impacted with a known bug:
Hi luca1994,
When a FQDN-based destination address object in firewall policies is used, whenever incoming traffic comes from LAN to WAN, it should hit the configured firewall policy with the FQDN destination object, if all the other required fields match the firewall policy.
It is also possible to verify the DNS cache using the below commands on FortiGate :
diagnose firewall fqdn list-ip
diagnose test application dnsproxy 6
For updating the FQDN with IP addresses, running 'nslookup' from a host connected to a FortiGate will manually resolve each wildcard entry and the list will be populated with new IP addresses
Please refer to the below documents for more information:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-wildcard-FQDN/ta-p/196118
I hope it will help you.
Hello,
Now the resolution is working, thanks for the advice. I wanted to submit another question.
I configured a loopback with WAN role and ssigned it a public ip address. Now I need the client network to go out to the outside world with the ip address of the loopback.
To do this just make policies that have the client interface as the source and the loopback as the destination and enable the NAT flag in the policies or is it mandatory to configure an ip-pool?
Thanks for the support
Hi @luca1994,
In that case, DNS queries are not going through the FortiGate. Hence, FortiGate will show "unresolved FQDN". DNS queries need to go through the FortiGate for FQDN objects to be resolved.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1519 | |
1019 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.