Created on
12-17-2014
06:30 PM
Edited on
12-09-2022
02:55 AM
By
Jean-Philippe_P
Description
This article describes that although FortiOS will allow the inclusion of a wildcard (*) when defining a firewall address of type FQDN, it is not recommended that such firewall addresses be used in a firewall policy.
Solution:
To understand why wildcards should not be used for this purpose, consider how FQDN objects work in a FortiGate.
FortiGate creates an IP address table for all configured FQDNs.
# config firewall address
....
edit "cnn.com"
set type fqdn
set fqdn "cnn.com"
next
edit "www.cnn.com"
set type fqdn
set fqdn "www.cnn.com"
next
edit "*.cnn.com"
set type fqdn
set fqdn "*.cnn.com"
next
end
Check this address table using the 'diagnose firewall fqdn list' CLI command.
(root) # diagnose firewall fqdn list
List all FQDN:
*.cnn.com: ID(4) REF(1)
www.cnn.com: ID(63) REF(1) ADDR(157.166.248.11) ADDR(157.166.249.10) ADDR(157.166.249.11) ADDR(157.166.248.10) ADDR(157.166.239.177) ADDR(157.166.238.48) ADDR(157.166.238.17)
cnn.com: ID(172) REF(1) ADDR(157.166.226.26) ADDR(157.166.226.25)
This table is populated by performing a DNS query for each FQDN address. Consider how DNS resolution works for the FQDN objects in this example.
C:\Users\fortinet>nslookup www.cnn.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: cnn-56m.gslb.vgtf.net
Addresses: 157.166.248.10
157.166.248.11
157.166.249.10
157.166.249.11
Aliases: www.cnn.com
www.cnn.com.vgtf.net
If querying cnn.com instead of www.cnn.com, a different result will be displayed:
C:\Users\fortinet>nslookup cnn.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: cnn.com
Addresses: 157.166.226.25
157.166.226.26
And if querying *.cnn.com, no result will be displayed:
C:\Users\fortinet>nslookup *.cnn.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
*** google-public-dns-a.google.com can't find *.cnn.com: Non-existent domain
If the DNS server cannot provide results, no IP will be added to the address table and consequently the configured wildcard FQDN will have no effect.
Alternate Solution:
A better place to use wildcards is by configuring a URL list (referenced in a web filter profile).
The reason that wildcards work in a web filter is that FortiGate can see the host in a Host: header in an HTTP request, so no DNS resolution is needed.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.