# config firewall addressA firewall policy needs to be defined to use wildcard FQDN.
edit "fortinet-fqdn"
set uuid 96c22534-8a3b-51ea-ad68-98a463172306
set type fqdn
set fqdn "*.fortinet.com"
next
end
# config firewall policyWhen the wildcard FQDN has been configured, it will show as unresolved FQDN in the firewall address list.
edit 8
set name "fqdn-policy"
set srcintf "port9"
set dstintf "port1"
set srcaddr "all"
set dstaddr "fortinet-fqdn"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
#diagnose firewall fqdn list | grep fortinet*.fortinet.com: ID(48)
# diagnose firewall fqdn list | grep fortinet*.fortinet.com: ID(48) ADDR(208.91.113.75) ADDR(208.91.113.80) ADDR(208.91.113.85) ADDR(34.228.249.126) ADDR(34.226.137.150) ADDR(96.45.36.159)
# config firewall addressSometimes it happens that a new DNS query will replace the existing entries learned from FortiGate.
edit "wildcard.google.com"
set type fqdn
set fqdn "*.google.com"
set cache-ttl 86400 < -----
next
end
# diagnose test application dnsproxy 6Doing nslookup for mail.google.com replaced all 4 entries above.
vfid=0 name=*.google.com ver=IPv4 min_ttl=37:0, cache_ttl=0 , slot=-1, num=4, wildcard=1
172.217.1.164 (ttl=94:0:0) 172.217.164.205 (ttl=114:0:0) 172.217.1.14 (ttl=106:0:0) 172.217.164.238 (ttl=37:0:0)
nslookup mail.google.comThen, nslookup drive.google.com- IP 172.217.1.174 is replaced.
> mail.google.com
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: googlemail.l.google.com
Addresses: 2607:f8b0:400b:809::2005
172.217.165.5
Aliases: mail.google.com
# diagnose test application dnsproxy 6
vfid=0 name=*.google.com ver=IPv4 min_ttl=41:0, cache_ttl=0 , slot=-1, num=2, wildcard=1
172.217.1.174 (ttl=255:0:0) 172.217.165.5 (ttl=263:221:221)
> drive.google.comThe IP addresses are replaced because they have already expired.
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: drive.google.com
Addresses: 2607:f8b0:400b:800::200e
172.217.164.206
# diagnose test application dnsproxy 6
vfid=0 name=*.google.com ver=IPv4 min_ttl=110:0, cache_ttl=0 , slot=-1, num=2, wildcard=1
172.217.165.5 (ttl=263:85:85) 172.217.164.206 (ttl=299:275:275)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.