FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
preznik_FTNT
Staff
Staff
Article Id 192082

Description

 

This article describes that although FortiOS will allow the inclusion of a wildcard (*) when defining a firewall address of type FQDN, it is not recommended that such firewall addresses be used in a firewall policy.

Solution:

To understand why wildcards should not be used for this purpose, consider how FQDN objects work in a FortiGate.

FortiGate creates an IP address table for all configured FQDNs.

 

# config firewall address
....
    edit "cnn.com"
        set type fqdn
        set fqdn "cnn.com"
    next
    edit "www.cnn.com"
        set type fqdn
        set fqdn "www.cnn.com"
    next
    edit "*.cnn.com"
        set type fqdn
        set fqdn "*.cnn.com"
    next
end

 

Check this address table using the 'diagnose firewall fqdn list' CLI command.

 

(root) # diagnose firewall fqdn list
List all FQDN:
*.cnn.com: ID(4) REF(1)
www.cnn.com: ID(63) REF(1) ADDR(157.166.248.11) ADDR(157.166.249.10) ADDR(157.166.249.11) ADDR(157.166.248.10) ADDR(157.166.239.177) ADDR(157.166.238.48) ADDR(157.166.238.17)
cnn.com: ID(172) REF(1) ADDR(157.166.226.26) ADDR(157.166.226.25)

 

This table is populated by performing a DNS query for each FQDN address. Consider how DNS resolution works for the FQDN objects in this example.

 

C:\Users\fortinet>nslookup www.cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cnn-56m.gslb.vgtf.net
Addresses:  157.166.248.10
          157.166.248.11
          157.166.249.10
          157.166.249.11
Aliases:  www.cnn.com
          www.cnn.com.vgtf.net

 

If querying cnn.com instead of www.cnn.com, a different result will be displayed:

 

C:\Users\fortinet>nslookup cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cnn.com
Addresses:  157.166.226.25
          157.166.226.26

 

And if querying *.cnn.com, no result will be displayed:

 

C:\Users\fortinet>nslookup *.cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

*** google-public-dns-a.google.com can't find *.cnn.com: Non-existent domain

 

If the DNS server cannot provide results, no IP will be added to the address table and consequently the configured wildcard FQDN will have no effect.

Alternate Solution:


A better place to use wildcards is by configuring a URL list (referenced in a web filter profile).

The reason that wildcards work in a web filter is that FortiGate can see the host in a Host: header in an HTTP request, so no DNS resolution is needed.