Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
preznik_FTNT
Staff
Staff

Created on ‎12-17-2014 06:30 PM Edited on ‎12-09-2022 02:55 AM By Moderator

Article Id 192082

Technical Tip: Wildcard FQDN firewall address should not be used in a firewall policy

Description

 

This article describes that although FortiOS will allow the inclusion of a wildcard (*) when defining a firewall address of type FQDN, it is not recommended that such firewall addresses be used in a firewall policy.

Solution:

To understand why wildcards should not be used for this purpose, consider how FQDN objects work in a FortiGate.

FortiGate creates an IP address table for all configured FQDNs.

 

# config firewall address
....
    edit "cnn.com"
        set type fqdn
        set fqdn "cnn.com"
    next
    edit "www.cnn.com"
        set type fqdn
        set fqdn "www.cnn.com"
    next
    edit "*.cnn.com"
        set type fqdn
        set fqdn "*.cnn.com"
    next
end

 

Check this address table using the 'diagnose firewall fqdn list' CLI command.

 

(root) # diagnose firewall fqdn list
List all FQDN:
*.cnn.com: ID(4) REF(1)
www.cnn.com: ID(63) REF(1) ADDR(157.166.248.11) ADDR(157.166.249.10) ADDR(157.166.249.11) ADDR(157.166.248.10) ADDR(157.166.239.177) ADDR(157.166.238.48) ADDR(157.166.238.17)
cnn.com: ID(172) REF(1) ADDR(157.166.226.26) ADDR(157.166.226.25)

 

This table is populated by performing a DNS query for each FQDN address. Consider how DNS resolution works for the FQDN objects in this example.

 

C:\Users\fortinet>nslookup www.cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cnn-56m.gslb.vgtf.net
Addresses:  157.166.248.10
          157.166.248.11
          157.166.249.10
          157.166.249.11
Aliases:  www.cnn.com
          www.cnn.com.vgtf.net

 

If querying cnn.com instead of www.cnn.com, a different result will be displayed:

 

C:\Users\fortinet>nslookup cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cnn.com
Addresses:  157.166.226.25
          157.166.226.26

 

And if querying *.cnn.com, no result will be displayed:

 

C:\Users\fortinet>nslookup *.cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

*** google-public-dns-a.google.com can't find *.cnn.com: Non-existent domain

 

If the DNS server cannot provide results, no IP will be added to the address table and consequently the configured wildcard FQDN will have no effect.

Alternate Solution:


A better place to use wildcards is by configuring a URL list (referenced in a web filter profile).

The reason that wildcards work in a web filter is that FortiGate can see the host in a Host: header in an HTTP request, so no DNS resolution is needed.

66593
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.