Fortinet added in the latest software release an aticipated feature - wildcard FQDNs! Configuration steps are described in the official Fortinet documentation. The only question I have: how it is working under the hood? Let's check this out!
So I created a few wildcard FQDNs
Right after creation, all of them will show info Unresolved FQDN. FortiGate doesn't know what subdomains there are, so it can't resolve that entry to the IP address(es). We have to provide that data in some way.
Compared to the standard FQDNs, this feature doesn't use system DNS settings (Network > DNS). It relies on the DNS traffic passing through a FortiGate. Take a look at freshly created object: *.1e100.net
FGT# diagnose firewall fqdn list | grep 1e100 *.1e100.net: ID(244)
It's an empty list of associated IP addresses. I have a PC in the network configured to use DNS server 220.127.116.11. Let's send 2 requests via FortiGate:
$ nslookup iy-in-f43.1e100.net Server: one.one.one.one Address: 18.104.22.168 Non-authoritative answer: Name: iy-in-f43.1e100.net Address: 22.214.171.124 $ nslookup maa03s18-in-f43.1e100.net Server: one.one.one.one Address: 126.96.36.199 Non-authoritative answer: Name: maa03s18-in-f43.1e100.net Addresses: 188.8.131.52 184.108.40.206
After each request, I run debug on that wildcard FQDN entry:
FGT# diagnose firewall fqdn list | grep 1e100 *.1e100.net: ID(244) ADDR(220.127.116.11) FGT# diagnose firewall fqdn list | grep 1e100 *.1e100.net: ID(244) ADDR(18.104.22.168) ADDR(22.214.171.124)
As you can see, entry is now populated with new IP addresses.
NOTE: By default, IP address is assigned to that object without any time limit. Information is stored in the RAM, so after a reboot, all IP addresses must be learned again. If you wish to limit TTL, it is possible from the CLI, configurable per object.
Where it can bite you?
Consider few scenarios that can make this feature useless:
- DNS server is not protected by FortiGate, so no queries fly through firewall
- DNS server is in the LAN network and you wish to use wildcard FQDNs for local domain name
- DNS requests are encrypted and FortiGate can't see them (i.e. more and more popular DoT or DoH)
Confusion with another wildcard FQDNs
If you are familiar with FortiOS, there is yet another section responsible for wildcard FQDNs. Easy to access via CLI:
FGT# config firewall wildcard-fqdn custom FGT(custom)# edit example.com FGT(example.com)# set wildcard-fqdn "*.example.com"
However, if you create a new object as above, and try to use it in the IPv4 policy, you'll be disappointed. You won't find it on a list of firewall addresses.
Those FQDNs are dedicated to SSL Inspection exemptions only. Concept and configuration are similar, but you can't mix them.
So if you need to use *.example.com in an IPv4 rule and add it to the SSL decryption exemptions, you have to create two objects in two different places. Remember, names have to be unique 😉