Fortinet black logo

New Features

Support for wildcard FQDN addresses in firewall policy  6.2.2

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:329154
Download PDF

Support for wildcard FQDN addresses in firewall policy 6.2.2

You can use wildcard FQDN addresses in firewall policies.

Firewall policies that support wildcard FQDN addresses include IPv4, IPv6, ACL, local, shaping, NAT64, NAT46, and NGFW.

When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.

To create a wildcard FQDN using the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Specify a Name.
  3. For Type, select FQDN.
  4. For FQDN, enter a wildcard FQDN address, for example, *.fortinet.com.

  5. Click OK.
To use wildcard FQDN in a firewall policy using the GUI:
  1. Go to Policy & Objects > IPv4 Policy to view the policy you created with the wildcard FQDN.

    In this example, policy ID 2 uses the wildcard FQDN.

To create a wildcard FQDN using the CLI:
config firewall address
    edit "test-wildcardfqdn-1"
        set uuid 7288ba26-ce92-51e9-04c0-39c707eb4519
        set type fqdn
        set fqdn "*.fortinet.com"
    next
end
To use wildcard FQDN in a firewall policy using the CLI:
config firewall policy
    edit 2
        set uuid 2f5ffcc0-cddc-51e9-0642-ab9966b202dd
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "test-wildcardfqdn-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set auto-asic-offload disable
        set nat enable
    next
end
To use the diagnose command to list resolved IP addresses of wildcard FQDN objects:
B (vdom1) # diag firewall fqdn list
List all FQDN:
*.fortinet.com: ID(48) ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
*.google.com: ID(66) ADDR(172.217.14.238)
login.microsoftonline.com: ID(15) ADDR(40.126.7.64) ADDR(40.126.7.65) ADDR(40.126.7.66) ADDR(40.126.7.97) ADDR(40.126.7.99) ADDR(40.126.7.100) ADDR(40.126.7.101) ADDR(40.126.7.103)
To use the diagnose command for firewall policies which use wildcard FQDN:
B (vdom1) # diag firewall iprope list 100004
policy index=2 uuid_idx=46 action=accept
flag (8050108): redir nat master use_src pol_stats
flag2 (4200): no_asic resolve_sso
flag3 (20):
schedule(always)
cos_fwd=255  cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=3 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 11 -> zone(1): 9
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
destination fqdn or dynamic address (1):
        *.fortinet.com ID(48) uuid_idx=57 ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
service(1):
        [0:0x0:0/(0,0)->(0,0)] helper:auto

Support for wildcard FQDN addresses in firewall policy 6.2.2

You can use wildcard FQDN addresses in firewall policies.

Firewall policies that support wildcard FQDN addresses include IPv4, IPv6, ACL, local, shaping, NAT64, NAT46, and NGFW.

When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.

To create a wildcard FQDN using the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Specify a Name.
  3. For Type, select FQDN.
  4. For FQDN, enter a wildcard FQDN address, for example, *.fortinet.com.

  5. Click OK.
To use wildcard FQDN in a firewall policy using the GUI:
  1. Go to Policy & Objects > IPv4 Policy to view the policy you created with the wildcard FQDN.

    In this example, policy ID 2 uses the wildcard FQDN.

To create a wildcard FQDN using the CLI:
config firewall address
    edit "test-wildcardfqdn-1"
        set uuid 7288ba26-ce92-51e9-04c0-39c707eb4519
        set type fqdn
        set fqdn "*.fortinet.com"
    next
end
To use wildcard FQDN in a firewall policy using the CLI:
config firewall policy
    edit 2
        set uuid 2f5ffcc0-cddc-51e9-0642-ab9966b202dd
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "test-wildcardfqdn-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set auto-asic-offload disable
        set nat enable
    next
end
To use the diagnose command to list resolved IP addresses of wildcard FQDN objects:
B (vdom1) # diag firewall fqdn list
List all FQDN:
*.fortinet.com: ID(48) ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
*.google.com: ID(66) ADDR(172.217.14.238)
login.microsoftonline.com: ID(15) ADDR(40.126.7.64) ADDR(40.126.7.65) ADDR(40.126.7.66) ADDR(40.126.7.97) ADDR(40.126.7.99) ADDR(40.126.7.100) ADDR(40.126.7.101) ADDR(40.126.7.103)
To use the diagnose command for firewall policies which use wildcard FQDN:
B (vdom1) # diag firewall iprope list 100004
policy index=2 uuid_idx=46 action=accept
flag (8050108): redir nat master use_src pol_stats
flag2 (4200): no_asic resolve_sso
flag3 (20):
schedule(always)
cos_fwd=255  cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=3 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 11 -> zone(1): 9
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
destination fqdn or dynamic address (1):
        *.fortinet.com ID(48) uuid_idx=57 ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
service(1):
        [0:0x0:0/(0,0)->(0,0)] helper:auto