FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
preznik_FTNT
Staff
Staff
Article Id 192082

Description

 

This article describes that although FortiOS will allow the inclusion of a wildcard (*) when defining a firewall address of type FQDN, it is not recommended that such firewall addresses be used in a firewall policy.

Solution

To understand why wildcards should not be used for this purpose, consider how FQDN objects work in a FortiGate.

FortiGate creates an IP address table for all configured FQDNs.

 

config firewall address
....
    edit "cnn.com"
        set type fqdn
        set fqdn "cnn.com"
    next
    edit "www.cnn.com"
        set type fqdn
        set fqdn "www.cnn.com"
    next
    edit "*.cnn.com"
        set type fqdn
        set fqdn "*.cnn.com"
    next
end

 

Check this address table using the 'diagnose firewall fqdn list' CLI command.

 

(root) # diagnose firewall fqdn list
List all FQDN:
*.cnn.com: ID(4) REF(1)
www.cnn.com: ID(63) REF(1) ADDR(157.166.248.11) ADDR(157.166.249.10) ADDR(157.166.249.11) ADDR(157.166.248.10) ADDR(157.166.239.177) ADDR(157.166.238.48) ADDR(157.166.238.17)
cnn.com: ID(172) REF(1) ADDR(157.166.226.26) ADDR(157.166.226.25)

 

This table is populated by performing a DNS query for each FQDN address. Consider how DNS resolution works for the FQDN objects in this example.

 

C:\Users\fortinet>nslookup www.cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cnn-56m.gslb.vgtf.net
Addresses:  157.166.248.10
          157.166.248.11
          157.166.249.10
          157.166.249.11
Aliases:  www.cnn.com
          www.cnn.com.vgtf.net

 

If querying cnn.com instead of www.cnn.com, a different result will be displayed:

 

C:\Users\fortinet>nslookup cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cnn.com
Addresses:  157.166.226.25
          157.166.226.26

 

And if querying *.cnn.com, no result will be displayed:

 

C:\Users\fortinet>nslookup *.cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

*** google-public-dns-a.google.com can't find *.cnn.com: Non-existent domain

 

If the DNS server cannot provide results, no IP will be added to the address table and consequently the configured wildcard FQDN will have no effect.

Alternate Solution:

A better place to use wildcards is by configuring a URL list (referenced in a web filter profile).
The reason that wildcards work in a web filter is that FortiGate can see the host in a Host: header in an HTTP request, so no DNS resolution is needed.

 

Notes: New Feature starting from version 6.2.2.

Support for wildcard FQDN addresses in firewall policy has been included in FortiOS 6.2.2.


Related article:
Technical Tip: Using a wildcard FQDN