Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AHAMADA
New Contributor

address FQDN not matching all subdomain within wildcard

Hello,

i have a FW policy rule that allow traffic flow based on address object with type FQDN

match based on FQDN "*.taobao.com"

taobao.png

-when i start browsing main page is opening normally

-when i start clicking on random sections , some of them is re-directed to alibaba CDN *.alicdn.com which is not included in FW policy address 

-so i added *.alicdn.com also to address group to be matched

-blockage reduced significantly but still see some traffic not matched by the FW policy , and web site performance become very slow

-up on checking found that FQDN address is not populated with all DNS queries customer do

example if opened item.taobao.com , will be dropped , i have to manually do Nslookup inside windows CMD , then IP will be populated inside Fortigate , then customer will be able to browse it

-Note there is no proxy server used

 

-if IP of subdomain is not included here , traffic destined will be dropped

diagnose test application dnsproxy 6

vfid=1 name=*.taobao.com ver=IPv4 wait_list=0 timer=0 min_refresh=60 min_ttl=12 cache_ttl=0 slot=-1 num=9 wildcard=1

         47.246.99.148 (ttl=300:189:189) 47.246.138.134 (ttl=120:10:10) 123.183.232.83 (ttl=86:18:18) 47.246.177.10 (ttl=117:87:87) 47.92.44.90 (ttl=59:30:30)

         47.246.182.10 (ttl=114:105:105) 59.82.120.242 (ttl=47:41:41) 59.82.39.254 (ttl=251:248:248) 47.246.181.10 (ttl=232:231:231)

 

i already matched customer DNS with Foritgate DNS as recommendation on previous Fortinet KB article , but didn't solve the issue

1 REPLY 1
AEK
SuperUser
SuperUser

Hello Hamada

If you Web browser uses DNS over TLS/HTTPS then FortiGate can't see its DNS request and the FQDN object will not be populated with all the IP addresses.

AEK
AEK
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors