Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SecurityPlus
Contributor II

Policy - Destination - Wildcard FQDN

Using FortiOS 6.0.9. Need to run backups to a cloud server destination (*.domain.com). Was going to add an IPv4 policy with this address as the destination to exempt this traffic from normal antivirus, web filtering, DNS, etc. evaluation. I see that there is a Wildcard FQDN Address list. I created the address in this section but I can not list this address as the destination in the policy. I see that Wildcard FQDN Addresses are to be used in SSL exemptions and should not be used as source or destination addresses in policies. I can't be the first person to have this as a requirement. Is there a good workaround?

 

I think I noticed tat newer firmware versions have this ability but I was trying to wait until the 6.2 and 6.4 versions became more mature but before upgrading.

[size="1"]FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D[/size] FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4 FortiSwitch FS-224E-POE, FS-124E-POE FAP-221E, FAP-224E, FAP-221C

1 Solution
sw2090
Honored Contributor

As far as I remember (but I might be wrong here) this is not supported in 6.0 but was implementert with 6.2. But you might have to take a look at the 6.2 release notes as I am not 100% sure.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

8 REPLIES 8
sw2090
Honored Contributor

As far as I remember (but I might be wrong here) this is not supported in 6.0 but was implementert with 6.2. But you might have to take a look at the 6.2 release notes as I am not 100% sure.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

SecurityPlus

Thanks! What was the best way to handle this pre FortiOS 6.2? Was it necessary to specify FQDN without using wildcards?

 

Instead of:

*.domain.com

 

This might involve:

www.domain.com

domain.com

ftp.domain.com

server.domain.com

[size="1"]FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D[/size] FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4 FortiSwitch FS-224E-POE, FS-124E-POE FAP-221E, FAP-224E, FAP-221C

lobstercreed

Yes, that's the "right" way.  When I opened a TAC case about this a couple years ago it was explained to me that this was simply impossible, which made sense to me, so I'm extremely curious (and somewhat dubious) about how they're accomplishing this post 6.2  (I did test on my 6.4.2 env and it seems to work).

 

The point being made to me when TAC said it was impossible was, how can I, a humble user/network possibly find all subdomains of a domain?  I can't query for every word/non-word in the English language and most domains don't allow a zone transfer, soo...how could it even be done? 

 

The "address" is the layer 3/IP address part of the packet, so any domain has to be translated to the IP to determine if it should match, so you have to know what to look up.  That's totally different than when you're using a wildcard to inspect the SSL or HTTP headers for a web filter, which is why wildcard FQDNs could be used in that context.  So I am sitting here, still confused...if anyone can explain that would be great.

emnoc
Esteemed Contributor III

Lobstercreed 

 

Your correct that would not be feasible and at worst  you would tack the firewall in trying to multiple populate A records in the local dns-cache, eating memory and cpu.

 

 

next, if you tried to be creative and place a wildcard that will net you nothing; since the firewall would think you are looking for a A record with the name asterisk in it

 

e.g

 

edit "widlcard-hp.com" set uuid 7dd39438-0fc2-51eb-94dd-2343bd0f9186 set type fqdn set fqdn "*.hp.com" next

 

 

The local-dns cache can be reviewed  via cli-cmd "diag firewall fqdn list" fwiw and to validate fqdn resolution. If you really need to use a wildcard, you would need to build a fqdn list or something and apply that into the rule. 

 

just my 2cts thoughts and observations

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

SecurityPlus
Contributor II

So if a trusted vendor asks us to whitelist *.domain.com and does not provide the non-wildcard FQDN addresses, and the firewall FortiOS does not support wildcard FQDN names in IPv4 policies, is there a workaround?

[size="1"]FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D[/size] FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4 FortiSwitch FS-224E-POE, FS-124E-POE FAP-221E, FAP-224E, FAP-221C

lobstercreed

It depends on what you take "whitelist" to mean.  I take it to mean "don't block me in your web filters or spam filters" and that's easy enough to do.  I would assume you have a general rule allowing at least HTTP/HTTPS traffic to all addresses, and maybe a web filter profile attached to that.  Whitelist them in that web filter, but it's not like you'd be crafting a special policy to allow XYZ ports to any and all hosts on some domain (or vice versa).

 

Any application that requires special ports open should be able to provide a list of IPs or FQDNs that the application reaches out to. If not, well....you have to open it to all hosts or monitor the traffic and figure out what it's doing for them -- because that is the network guy's job...to know how everything else works *sigh*

emnoc
Esteemed Contributor III

Agreed

 

Also if the sites are to be whitelist the vendor probably can provide a list of the domains hostnames. I'm working with a hosting provider that provide us the syntax of the hosted webserver even thought  50% of them are not up. So we have a FQDN list 

 

  web{XXX}.customerdomain.com

 

And I built a fqdn address objects that we push to the fortigate for all 1000 seq# 000-999, so if they add any server with that name, it's allowed and I do not have to go back and touch the policy.

 

FWIW I do not know of one firewall vendor that allows a wildcard dns-name ( FTNT JNPR CHKP PANW etc....) They use address-list, or webfilter rules for example.

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

SecurityPlus

Thanks everyone! I finally got the list of FQDN's so that the wildcard should not be necessary.

[size="1"]FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D[/size] FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4 FortiSwitch FS-224E-POE, FS-124E-POE FAP-221E, FAP-224E, FAP-221C