Introduction

Fortinet added in the latest software release an aticipated feature - wildcard FQDNs! Configuration steps are described in the official Fortinet documentation. The only question I have: how it is working under the hood? Let's check this out!

Case Study

So I created a few wildcard FQDNs

Right after creation, all of them will show info Unresolved FQDN. FortiGate doesn't know what subdomains there are, so it can't resolve that entry to the IP address(es). We have to provide that data in some way.

Compared to the standard FQDNs, this feature doesn't use system DNS settings (Network > DNS). It relies on the DNS traffic passing through a FortiGate. Take a look at freshly created object: *.1e100.net

FGT# diagnose firewall fqdn list | grep 1e100
*.1e100.net: ID(244)

It's an empty list of associated IP addresses. I have a PC in the network configured to use DNS server 1.1.1.1. Let's send 2 requests via FortiGate:

$ nslookup iy-in-f43.1e100.net
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    iy-in-f43.1e100.net
Address:  216.239.32.43


$ nslookup maa03s18-in-f43.1e100.net
Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    maa03s18-in-f43.1e100.net
Addresses:  216.239.32.43
          216.58.220.43

After each request, I run debug on that wildcard FQDN entry:

FGT# diagnose firewall fqdn list | grep 1e100
*.1e100.net: ID(244) ADDR(216.239.32.43)

FGT# diagnose firewall fqdn list | grep 1e100
*.1e100.net: ID(244) ADDR(216.239.32.43) ADDR(216.58.220.43)

As you can see, entry is now populated with new IP addresses.

NOTE: By default, IP address is assigned to that object without any time limit. Information is stored in the RAM, so after a reboot, all IP addresses must be learned again. If you wish to limit TTL, it is possible from the CLI, configurable per object.

Where it can bite you?

Consider few scenarios that can make this feature useless:

  1. DNS server is not protected by FortiGate, so no queries fly through firewall
  2. DNS server is in the LAN network and you wish to use wildcard FQDNs for local domain name
  3. DNS requests are encrypted and FortiGate can't see them (i.e. more and more popular DoT or DoH)

Confusion with another wildcard FQDNs

If you are familiar with FortiOS, there is yet another section responsible for wildcard FQDNs. Easy to access via CLI:

FGT# config firewall wildcard-fqdn custom
FGT(custom)# edit example.com
FGT(example.com)# set wildcard-fqdn "*.example.com"

However, if you create a new object as above, and try to use it in the IPv4 policy, you'll be disappointed. You won't find it on a list of firewall addresses.

Those FQDNs are dedicated to SSL Inspection exemptions only. Concept and configuration are similar, but you can't mix them.

So if you need to use *.example.com in an IPv4 rule and add it to the SSL decryption exemptions, you have to create two objects in two different places. Remember, names have to be unique 😉