Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Synchronize wildcard FQDN resolved addresses to autoscale peers

This enhancement synchronizes wildcard FQDN IPs to other autoscale members whenever a peer learns of a wildcard FQDN address.

The following example uses an AWS deployment.

To synchronize wildcard FQDN resolved addresses to autoscale peers:
  1. Configure an FG-AWS autoscale group with one primary and two secondary FortiGates (see Deploying autoscaling on AWS in the AWS Administration Guide).
  2. On the primary FortiGate, configure a wildcard FQDN firewall address for *.cnn.com (see Using wildcard FQDN addresses in firewall policies in the FortiOS Administration Guide). The configuration will be synchronized between all autoscale peers.
To verify the wildcard FQDN resolved address synchronization:
  1. On the primary FortiGate, ping www.cnn.com:
    # execute ping www.cnn.com
    PING turner-tls.map.fastly.net (***.232.65.67): 56 data bytes
    64 bytes from ***.232.65.67: icmp_seq=0 ttl=52 time=0.4 ms
    64 bytes from ***.232.65.67: icmp_seq=1 ttl=52 time=0.4 ms
  2. View the list of resolved IP addresses of wildcard FQDN objects:
    # diagnose firewall fqdn list
    List all FQDN:
    *.cnn.com: ID(4) ADDR(***.232.65.67)
  3. On the secondary-1 FortiGate, view the list of resolved IP addresses of wildcard FQDN objects:
    # diagnose firewall fqdn list
    List all FQDN:
    *.cnn.com: ID(4) ADDR(***.232.65.67)
  4. On the secondary-2 FortiGate, view the list of resolved IP addresses of wildcard FQDN objects:
    # diagnose firewall fqdn list
    List all FQDN:
    *.cnn.com: ID(4) ADDR(***.232.65.67)
  5. On each FortiGate, go to Policy & Object > Addresses and hover over the FQDN address to view the resolved IP.
    1. Primary:

    2. Secondary-1:

    3. Secondary-2:

Synchronize wildcard FQDN resolved addresses to autoscale peers

This enhancement synchronizes wildcard FQDN IPs to other autoscale members whenever a peer learns of a wildcard FQDN address.

The following example uses an AWS deployment.

To synchronize wildcard FQDN resolved addresses to autoscale peers:
  1. Configure an FG-AWS autoscale group with one primary and two secondary FortiGates (see Deploying autoscaling on AWS in the AWS Administration Guide).
  2. On the primary FortiGate, configure a wildcard FQDN firewall address for *.cnn.com (see Using wildcard FQDN addresses in firewall policies in the FortiOS Administration Guide). The configuration will be synchronized between all autoscale peers.
To verify the wildcard FQDN resolved address synchronization:
  1. On the primary FortiGate, ping www.cnn.com:
    # execute ping www.cnn.com
    PING turner-tls.map.fastly.net (***.232.65.67): 56 data bytes
    64 bytes from ***.232.65.67: icmp_seq=0 ttl=52 time=0.4 ms
    64 bytes from ***.232.65.67: icmp_seq=1 ttl=52 time=0.4 ms
  2. View the list of resolved IP addresses of wildcard FQDN objects:
    # diagnose firewall fqdn list
    List all FQDN:
    *.cnn.com: ID(4) ADDR(***.232.65.67)
  3. On the secondary-1 FortiGate, view the list of resolved IP addresses of wildcard FQDN objects:
    # diagnose firewall fqdn list
    List all FQDN:
    *.cnn.com: ID(4) ADDR(***.232.65.67)
  4. On the secondary-2 FortiGate, view the list of resolved IP addresses of wildcard FQDN objects:
    # diagnose firewall fqdn list
    List all FQDN:
    *.cnn.com: ID(4) ADDR(***.232.65.67)
  5. On each FortiGate, go to Policy & Object > Addresses and hover over the FQDN address to view the resolved IP.
    1. Primary:

    2. Secondary-1:

    3. Secondary-2: