Fortinet white logo
Fortinet white logo

Administration Guide

Using wildcard FQDN addresses in firewall policies

Using wildcard FQDN addresses in firewall policies

You can use wildcard FQDN addresses in firewall policies. IPv4, IPv6, ACL, local, shaping, NAT64, NAT46, and NGFW policy types support wildcard FQDN addresses.

For wildcard FQDN addresses to work, the FortiGate should allow DNS traffic to pass through.

Initially, the wildcard FQDN object is empty and contains no addresses. When the client tries to resolve a FQDN address, the FortiGate will analyze the DNS response. The IP address(es) contained in the answer section of the DNS response will be added to the corresponding wildcard FQDN object. It is therefore necessary to have the DNS session-helpers defined in the config system session-helper setting.

Note

Since FortiGate must analyze the DNS response, it does not work with DNS over HTTPS.

In FortiOS 7.0 and later, FortiGate supports DNS over TLS. It is possible to analyze DNS responses sent over DoT, as long as there is a firewall policy that allows the DNS traffic from the client and is configured with a DNS filter that supports DoT. For information on configuring this, see DNS inspection with DoT and DoH.

When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.

The FortiGate will keep the IP addresses in the FQDN object table as long as the DNS entry itself has not expired. Once it expires, the IP address is removed from the wildcard FQDN object until another query is made. At any given time, a single wildcard FQDN object may have up to 1000 IP addresses.

Note

The DNS expiry TTL value is set by the authoritative name server for that DNS record. If the TTL for a specific DNS record is very short and you would like to cache the IP address longer, then you can extend it with the CLI. See To extend the TTL for a DNS record in the CLI:

For more information, see FQDN address firewall object type.

Tooltip

Wildcard FQDN IPs are synchronized to other autoscale members whenever a peer learns of a wildcard FQDN address.

To create a wildcard FQDN using the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Specify a Name.
  3. For Type, select FQDN.
  4. For FQDN, enter a wildcard FQDN address, for example, *.fortinet.com.
  5. Click OK.
To use a wildcard FQDN in a firewall policy using the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. For Destination, select the wildcard FQDN.
  3. Configure the rest of the policy as needed.
  4. Click OK.
To create a wildcard FQDN using the CLI:
config firewall address
    edit "test-wildcardfqdn-1"
        set type fqdn
        set fqdn "*.fortinet.com"
    next
end
To use wildcard FQDN in a firewall policy using the CLI:
config firewall policy
    edit 2
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "test-wildcardfqdn-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set auto-asic-offload disable
        set nat enable
    next
end
To use the diagnose command to list resolved IP addresses of wildcard FQDN objects:
# diagnose firewall fqdn list
List all FQDN:
*.fortinet.com: ID(48) ADDR(96.45.36.159) ADDR(192.168.100.161) ADDR(65.39.139.161)

Alternatively:

# diagnose test application dnsproxy 6
worker idx: 0
vfid=0 name=*.fortinet.com ver=IPv4  min_ttl=3266:0, cache_ttl=0 , slot=-1, num=3, wildcard=1
96.45.36.159 (ttl=68862:68311:68311) 192.168.100.161 (ttl=3600:3146:3146) 65.39.139.161
(ttl=3600:3481:3481)
To use the diagnose command for firewall policies which use wildcard FQDN:
# diagnose firewall iprope list 100004
...
destination fqdn or dynamic address (1):*.fortinet.com ID(48) uuid_idx=57 ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
...
To extend the TTL for a DNS record in the CLI:

In this the example the set cache-ttl value has been extended to 3600 seconds.

config firewall address

edit "fortinet.com"

set type fqdn

set fqdn "www.fortinet.com”

set cache-ttl 3600

next

end

Using wildcard FQDN addresses in firewall policies

Using wildcard FQDN addresses in firewall policies

You can use wildcard FQDN addresses in firewall policies. IPv4, IPv6, ACL, local, shaping, NAT64, NAT46, and NGFW policy types support wildcard FQDN addresses.

For wildcard FQDN addresses to work, the FortiGate should allow DNS traffic to pass through.

Initially, the wildcard FQDN object is empty and contains no addresses. When the client tries to resolve a FQDN address, the FortiGate will analyze the DNS response. The IP address(es) contained in the answer section of the DNS response will be added to the corresponding wildcard FQDN object. It is therefore necessary to have the DNS session-helpers defined in the config system session-helper setting.

Note

Since FortiGate must analyze the DNS response, it does not work with DNS over HTTPS.

In FortiOS 7.0 and later, FortiGate supports DNS over TLS. It is possible to analyze DNS responses sent over DoT, as long as there is a firewall policy that allows the DNS traffic from the client and is configured with a DNS filter that supports DoT. For information on configuring this, see DNS inspection with DoT and DoH.

When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.

The FortiGate will keep the IP addresses in the FQDN object table as long as the DNS entry itself has not expired. Once it expires, the IP address is removed from the wildcard FQDN object until another query is made. At any given time, a single wildcard FQDN object may have up to 1000 IP addresses.

Note

The DNS expiry TTL value is set by the authoritative name server for that DNS record. If the TTL for a specific DNS record is very short and you would like to cache the IP address longer, then you can extend it with the CLI. See To extend the TTL for a DNS record in the CLI:

For more information, see FQDN address firewall object type.

Tooltip

Wildcard FQDN IPs are synchronized to other autoscale members whenever a peer learns of a wildcard FQDN address.

To create a wildcard FQDN using the GUI:
  1. Go to Policy & Objects > Addresses and click Create New > Address.
  2. Specify a Name.
  3. For Type, select FQDN.
  4. For FQDN, enter a wildcard FQDN address, for example, *.fortinet.com.
  5. Click OK.
To use a wildcard FQDN in a firewall policy using the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. For Destination, select the wildcard FQDN.
  3. Configure the rest of the policy as needed.
  4. Click OK.
To create a wildcard FQDN using the CLI:
config firewall address
    edit "test-wildcardfqdn-1"
        set type fqdn
        set fqdn "*.fortinet.com"
    next
end
To use wildcard FQDN in a firewall policy using the CLI:
config firewall policy
    edit 2
        set srcintf "port3"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "test-wildcardfqdn-1"
        set action accept
        set schedule "always"
        set service "ALL"
        set auto-asic-offload disable
        set nat enable
    next
end
To use the diagnose command to list resolved IP addresses of wildcard FQDN objects:
# diagnose firewall fqdn list
List all FQDN:
*.fortinet.com: ID(48) ADDR(96.45.36.159) ADDR(192.168.100.161) ADDR(65.39.139.161)

Alternatively:

# diagnose test application dnsproxy 6
worker idx: 0
vfid=0 name=*.fortinet.com ver=IPv4  min_ttl=3266:0, cache_ttl=0 , slot=-1, num=3, wildcard=1
96.45.36.159 (ttl=68862:68311:68311) 192.168.100.161 (ttl=3600:3146:3146) 65.39.139.161
(ttl=3600:3481:3481)
To use the diagnose command for firewall policies which use wildcard FQDN:
# diagnose firewall iprope list 100004
...
destination fqdn or dynamic address (1):*.fortinet.com ID(48) uuid_idx=57 ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210)
...
To extend the TTL for a DNS record in the CLI:

In this the example the set cache-ttl value has been extended to 3600 seconds.

config firewall address

edit "fortinet.com"

set type fqdn

set fqdn "www.fortinet.com”

set cache-ttl 3600

next

end