Thursday, August 25, 2016

FQDN address policies fortigate FortiOS

I was using a  FQDN policy object in a firewall and want to share some simple tips that could come in handy. To review if the  FQDN is mapped & found,  you can use the following  cli command

    diag firewall  fqdn  list 

To purge ALL objects the following cli cmd

    diag firewall  purge

To set  specific TTL for caching, set the  TTL in the object  directly.

e.g

config firewall address
    edit  dns1
         set type fqdn
         set fqdn www.example.com 
         set cache-ttl 10
   end

In the above, "The firewall will conduct a  DNS lookup and refresh the local-cache ever 10secs if it has changed.

If the objects has multiple A records, it will  display all records attached;

FGT310C (root) # diag firewall  fqdn  list | grep www.etrade.com
www.etrade.com: ID(117) REF(1) ADDR(65.196.177.42) ADDR(12.221.217.42)
 

FGT310C (root) # diag firewall  fqdn  list | grep www.twitter.com
www.twitter.com: ID(19) REF(1) ADDR(199.59.149.198) ADDR(199.59.148.82) ADDR(199.59.150.7) ADDR(199.59.148.10)





A firewall object of type fqdn will use the   firewall local dns-servers settings to resolved the  FQDN.

 A FGT firewall will ALWAYS resolve a FQDN object regardless if it used in a firewall-policy 


A fqdn firewall address object that does NOT exist, will still be cached but with no  resolved address;

   diag firewall  fqdn  list
   List all FQDN:
   nohost.socpuppets.com: ID(140) REF(1)





be carefull  of bad FQDNs or no-such hosts, traffic will be blocked.




The firewall fqdn firewall-objects are ONLY applicable for ipv4 address, hosts with both A and AAAA resources will only display the A record. You can't do  fqdn type in address6



I haven't checked in FortiOS 5.4 to see if this feature has change




Ken

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \


No comments:

Post a Comment