Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    6.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support for wildcard FQDN addresses in firewall policy  6.2.2

    Support for wildcard FQDN addresses in firewall policy 6.2.2

    You can use wildcard FQDN addresses in firewall policies.

    Firewall policies that support wildcard FQDN addresses include IPv4, IPv6, ACL, local, shaping, NAT64, NAT46, and NGFW.

    When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.

    To create a wildcard FQDN using the GUI:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. Specify a Name.
    3. For Type, select FQDN.
    4. For FQDN, enter a wildcard FQDN address, for example, *.fortinet.com.

    5. Click OK.
    To use wildcard FQDN in a firewall policy using the GUI:
    1. Go to Policy & Objects > IPv4 Policy to view the policy you created with the wildcard FQDN.

      In this example, policy ID 2 uses the wildcard FQDN.

    To create a wildcard FQDN using the CLI:
    config firewall address
    edit "test-wildcardfqdn-1"
        set uuid 7288ba26-ce92-51e9-04c0-39c707eb4519
        set type fqdn
        set fqdn "*.fortinet.com"
    next
end
    To use wildcard FQDN in a firewall policy using the CLI:
    config firewall policy
    edit 2
        set uuid 2f5ffcc0-cddc-51e9-0642-ab9966b202dd
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "test-wildcardfqdn-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set auto-asic-offload disable
        set nat enable
    next
end
    To use the diagnose command to list resolved IP addresses of wildcard FQDN objects:
    B (vdom1) # diag firewall fqdn list
List all FQDN:
*.fortinet.com: ID(48) ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
*.google.com: ID(66) ADDR(172.217.14.238)
login.microsoftonline.com: ID(15) ADDR(40.126.7.64) ADDR(40.126.7.65) ADDR(40.126.7.66) ADDR(40.126.7.97) ADDR(40.126.7.99) ADDR(40.126.7.100) ADDR(40.126.7.101) ADDR(40.126.7.103)
    To use the diagnose command for firewall policies which use wildcard FQDN:
    B (vdom1) # diag firewall iprope list 100004
policy index=2 uuid_idx=46 action=accept
flag (8050108): redir nat master use_src pol_stats
flag2 (4200): no_asic resolve_sso
flag3 (20):
schedule(always)
cos_fwd=255  cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=3 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 11 -> zone(1): 9
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
destination fqdn or dynamic address (1):
        *.fortinet.com ID(48) uuid_idx=57 ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
service(1):
        [0:0x0:0/(0,0)->(0,0)] helper:auto
    Previous
    Next

    Support for wildcard FQDN addresses in firewall policy  6.2.2

    Support for wildcard FQDN addresses in firewall policy 6.2.2

    You can use wildcard FQDN addresses in firewall policies.

    Firewall policies that support wildcard FQDN addresses include IPv4, IPv6, ACL, local, shaping, NAT64, NAT46, and NGFW.

    When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.

    To create a wildcard FQDN using the GUI:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. Specify a Name.
    3. For Type, select FQDN.
    4. For FQDN, enter a wildcard FQDN address, for example, *.fortinet.com.

    5. Click OK.
    To use wildcard FQDN in a firewall policy using the GUI:
    1. Go to Policy & Objects > IPv4 Policy to view the policy you created with the wildcard FQDN.

      In this example, policy ID 2 uses the wildcard FQDN.

    To create a wildcard FQDN using the CLI:
    config firewall address
    edit "test-wildcardfqdn-1"
        set uuid 7288ba26-ce92-51e9-04c0-39c707eb4519
        set type fqdn
        set fqdn "*.fortinet.com"
    next
end
    To use wildcard FQDN in a firewall policy using the CLI:
    config firewall policy
    edit 2
        set uuid 2f5ffcc0-cddc-51e9-0642-ab9966b202dd
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "test-wildcardfqdn-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set auto-asic-offload disable
        set nat enable
    next
end
    To use the diagnose command to list resolved IP addresses of wildcard FQDN objects:
    B (vdom1) # diag firewall fqdn list
List all FQDN:
*.fortinet.com: ID(48) ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
*.google.com: ID(66) ADDR(172.217.14.238)
login.microsoftonline.com: ID(15) ADDR(40.126.7.64) ADDR(40.126.7.65) ADDR(40.126.7.66) ADDR(40.126.7.97) ADDR(40.126.7.99) ADDR(40.126.7.100) ADDR(40.126.7.101) ADDR(40.126.7.103)
    To use the diagnose command for firewall policies which use wildcard FQDN:
    B (vdom1) # diag firewall iprope list 100004
policy index=2 uuid_idx=46 action=accept
flag (8050108): redir nat master use_src pol_stats
flag2 (4200): no_asic resolve_sso
flag3 (20):
schedule(always)
cos_fwd=255  cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=3 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 11 -> zone(1): 9
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
destination fqdn or dynamic address (1):
        *.fortinet.com ID(48) uuid_idx=57 ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
service(1):
        [0:0x0:0/(0,0)->(0,0)] helper:auto
    Previous
    Next