Hello,
i have a FW policy rule that allow traffic flow based on address object with type FQDN
match based on FQDN "*.taobao.com"
-when i start browsing main page is opening normally
-when i start clicking on random sections , some of them is re-directed to alibaba CDN *.alicdn.com which is not included in FW policy address
-so i added *.alicdn.com also to address group to be matched
-blockage reduced significantly but still see some traffic not matched by the FW policy , and web site performance become very slow
-up on checking found that FQDN address is not populated with all DNS queries customer do
example if opened item.taobao.com , will be dropped , i have to manually do Nslookup inside windows CMD , then IP will be populated inside Fortigate , then customer will be able to browse it
-Note there is no proxy server used
-if IP of subdomain is not included here , traffic destined will be dropped
diagnose test application dnsproxy 6
vfid=1 name=*.taobao.com ver=IPv4 wait_list=0 timer=0 min_refresh=60 min_ttl=12 cache_ttl=0 slot=-1 num=9 wildcard=1
47.246.99.148 (ttl=300:189:189) 47.246.138.134 (ttl=120:10:10) 123.183.232.83 (ttl=86:18:18) 47.246.177.10 (ttl=117:87:87) 47.92.44.90 (ttl=59:30:30)
47.246.182.10 (ttl=114:105:105) 59.82.120.242 (ttl=47:41:41) 59.82.39.254 (ttl=251:248:248) 47.246.181.10 (ttl=232:231:231)
i already matched customer DNS with Foritgate DNS as recommendation on previous Fortinet KB article , but didn't solve the issue
Hello Hamada
If you Web browser uses DNS over TLS/HTTPS then FortiGate can't see its DNS request and the FQDN object will not be populated with all the IP addresses.
User | Count |
---|---|
2534 | |
1350 | |
795 | |
639 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.