|
Support for wildcard FQDN addresses in firewall policy has been added in FortiOS 6.2.2. Unlike standard FQDNs, the wildcard FQDN is updated when a DNS query (response) traverses the FortiGate.
If the name in the DNS response matches the wildcard FQDN, the IP address is added to the cache for that object on the FortiGate.
In case VDOMs are in use the DNS response must traverse the specific VDOM in which the wildcard FQDN is configured.
In case the address objects are not getting populated it is possible to check:
- Confirm the DNS queries and responses are traversing the FortiGate/particular VDOM.
- If the DNS uses UDP protocol on port 53 ensure that a DNS helper is used.
This can be checked in the debug flow:
id=65308 trace_id=1 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=17, 10.254.3.215:49853->8.8.8.8:53) tun_id=0.0.0.0 from lan. "
id=65308 trace_id=1 func=init_ip_session_common line=5980 msg="allocate a new session-00004105, tun_id=0.0.0.0"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-192.0.2.1 via wan1"
id=65308 trace_id=1 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=1 func=get_new_addr line=1235 msg="find SNAT: IP-192.0.2.177(from IPPOOL), port-49853"
id=65308 trace_id=1 func=fw_forward_handler line=994 msg="Allowed by Policy-1: SNAT"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3393 msg="SNAT 10.254.3.215->192.0.2.177:49853"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3445 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=2 func=print_pkt_detail line=5802 msg="vd-root:0 received a packet(proto=17, 8.8.8.8:53->192.0.2.177:49853) tun_id=0.0.0.0 from wan1. "
id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5885 msg="Find an existing session, id-00004105, reply direction"
id=65308 trace_id=2 func=__ip_session_run_tuple line=3407 msg="DNAT 192.0.2.177:49853->10.254.3.215:49853"
id=65308 trace_id=2 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-10.254.3.215 via lan"
id=65308 trace_id=2 func=npu_handle_session44 line=1201 msg="Trying to offloading session from wan1 to lan, skb.npu_flag=00000000 ses.state=00010200 ses.npu_state=0x04000000"
id=65308 trace_id=2 func=fw_forward_dirty_handler line=436 msg="state=00010200, state2=00000000, npu_state=04000000"
id=65308 trace_id=2 func=__ip_session_run_tuple line=3445 msg="run helper-dns-udp(dir=reply)"
Or session list:
session info: proto=17 proto_state=01 duration=8 expire=171 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=dns-udp vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=60/1/1 reply=76/1/1 tuples=2
tx speed(Bps/kbps): 6/0 rx speed(Bps/kbps): 8/0
orgin->sink: org pre->post, reply pre->post dev=34->7/7->34 gwy=192.0.2.1/10.254.3.215
hook=post dir=org act=snat 10.254.3.215:49853->8.8.8.8:53(192.0.2.177:49853)
hook=pre dir=reply act=dnat 8.8.8.8:53->192.0.2.177:49853(10.254.3.215:49853)
misc=0 policy_id=1 pol_uuid_idx=550 auth_info=0 chk_client_info=0 vd=0
serial=00004105 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/04
- In case the DNS uses DoH/DoT ensure that a full inspection is being used, so FortiGate can decrypt the traffic.
- Another mandatory condition is (the default, per VDOM, setting):
config system network-visibility
set destination-hostname-visibility enabled
end
Related articles:
Technical Tip: Using a wildcard FQDN
DNS inspection with DoT and DoH
Technical Note: How to Configure ‘Network Visibility’ to view the country flags, country name and ho...
|
