The wildcard is working for me. This is something to do with DNS resolving as per docummentation:
When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.
I have a FortiGate in mode that the FortiGate provides DNS for clients on its local interfaces.
Unfortunately this feature is not docummented as it should be. Should the FGT be the source DNS for the clients or the clients can access external DNS server directly and the FGT will update is FQDN table according to the DNS server response? How many IP addresses can be in the buffer (cached) for one wildcard FQDN?
Why Fortinet does not give all the information about the features? ... and not only about the features.
It is very hard to get some more detailed information about anything.
If you want to see something like FortiGate 6.2.2 admin guide or handbook you will not find it. Only cookbook for 6.2.0. Why the admin guide/handbook does not exists anymore?
Where is the 6.2.2 cookbook containing information about the wildcard policy object?
Check the last Handbook for 6.0.6 FortiOS version. Very nice Hadbook where you can find information about the firewall objects.
Nobody wants the handbook anymore?
I cannot see the 6.2.2 handbook if some exists on the docs.fortinet.com.
wildcard will never work on firewall policies for other then HTTP traffic (where it will work with a webfilter profile).
think about it
a regular layer 3 request doesn't care about a hostname. it requests an IP address. so there you already have a problem.
now for regular DNS entries (A record, CNAME ...) you can create the FQDN object, which looks up the DNS entry and saves that. so on the layer 3 it still is an IP address which is compared by the FortiGate.
this isnt a perfect solution either, specially when you have DNS entries which differ in regions or use internal DNS which your FortiGate can't reach.
but *.something.org isn't something you can lookup, the wildcard can be every word and possible go down levels i.e. host.domain.domain.something.org. a DNS server isn't going to give you all possible IP addresses when you request *.
so you are stuck here and this will never be possible. they might be able to do some tricks with looking at all DNS requests and actively add those, but that will only work if the fortigate sees the dns request.
still the FortiGate must be able to see these addresses to add them to the list. which means there might be a first ping lost or things wont work if you access based on IP address. it works beter then in the past, but it remains a trick. it is not like the FortiGate knows every IP address for a certain *.domain.ext. it knows a part when it has seen it.
Can anyone detail of how this wildcard is actually working?
Does the Fortigate needs to receive the DNS query from the client, meaning Fortigate needs to act as DNS server for the clients using Firewall WILDCARD entry or is the Fortigate "downloading" the DNS zone from the domain mentioned in the wildcard.
I have read the related KB, but I am not getting it.
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
i tested this a little in the past. when you add for example *.test.com and then ping name.test.com from the firewall it will be added to a DNS cache entry for *.test.com.
so my expectation is that if you just have the firewall see DNS traffic, dont think the firewall has to be the DNS server, then it will add entries belong to the wildcard fqdn in its cache and allow those.
so it does have to see something first for it to work.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.