I was using a FQDN policy object in a firewall and want to share some simple tips that could come in handy. To review if the FQDN is mapped & found, you can use the following cli command
diag firewall fqdn list
To purge ALL objects the following cli cmd
diag firewall purge
To set specific TTL for caching, set the TTL in the object directly.
e.g
config firewall address
edit dns1
set type fqdn
set fqdn www.example.com
set cache-ttl 10
end
In the above, "The firewall will conduct a DNS lookup and refresh the local-cache ever 10secs if it has changed.
If the objects has multiple A records, it will display all records attached;
FGT310C (root) # diag firewall fqdn list | grep www.etrade.com
www.etrade.com: ID(117) REF(1) ADDR(65.196.177.42) ADDR(12.221.217.42)
FGT310C (root) # diag firewall fqdn list | grep www.twitter.com
www.twitter.com: ID(19) REF(1) ADDR(199.59.149.198) ADDR(199.59.148.82) ADDR(199.59.150.7) ADDR(199.59.148.10)
A firewall object of type fqdn will use the firewall local dns-servers settings to resolved the FQDN.
A FGT firewall will ALWAYS resolve a FQDN object regardless if it used in a firewall-policy
A fqdn firewall address object that does NOT exist, will still be cached but with no resolved address;
diag firewall fqdn list
List all FQDN:
nohost.socpuppets.com: ID(140) REF(1)
be carefull of bad FQDNs or no-such hosts, traffic will be blocked.
The firewall fqdn firewall-objects are ONLY applicable for ipv4 address, hosts with both A and AAAA resources will only display the A record. You can't do fqdn type in address6
I haven't checked in FortiOS 5.4 to see if this feature has change
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment