Hot!FQDN Objects & IPv4 Policy

Page: < 12 Showing page 2 of 2
Author
CyberNorris
Silver Member
  • Total Posts : 67
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/09/15 08:44:40
  • Status: offline
Re: FQDN Objects & IPv4 Policy 2016/09/04 07:50:45 (permalink)
0
MikePruett
Yeah wildcard FQDN on 5.4.1 is no bueno so far. Major bummer too.




Not being able to use them in policies is a hinderance. I created an address group that contains both FQDN and Wildcard FQDN entries and even it is not visible for use by a firewall policy.
 
I've discovered that Wildcard FQDN is available for SSL Inspection profiles. Haven't had a chance yet to test on other security profile types.
 
A quick search of the docs doesn't reveal any restrictions on the use of Wildcard FQDN, but the same instruction on creating a Wildcard FQDN is available in both the Firewall Handbook for FortiOS 5.4.1 and FortiOS Handbook for FortiOS 5.4.1. You'd think that if it was in the Firewall Handbook for FortiOS 5.4.1, that it would be available for use in the firewall.
 
I'm asking support and other resources for information on when we can expect the use of Wildcard FQDN to be available in policies.
 

Norris Carden
Fortinet XTreme Team USA (2015, 2016)
CISSP (2005), CISA (2007), NSE4 (2016)
#21
mok
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/01/28 06:50:01
  • Status: offline
Re: FQDN Objects & IPv4 Policy 2017/04/19 03:09:34 (permalink)
0
Any news of this ?
#22
scerazy
Gold Member
  • Total Posts : 153
  • Scores: 0
  • Reward points: 0
  • Joined: 2009/12/22 14:09:01
  • Status: offline
Re: FQDN Objects & IPv4 Policy 2018/01/14 08:00:04 (permalink)
0
That is absolutely tragic!
How in 2018 I can not use wildcard FDQN in exceptions is beyond me!
I need to DNS whitelist *.msappproxy.net for use with Azure Active Directory Seamless Single Sign-On
 
I really do not need hundreds of lines of IP address ranges (it is difficult to maintain and even creat in first place, as there is not batch faility)
 
Shame on you Fortinet with your lazy coders!
#23
PiniPunk
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/02/22 04:32:44
  • Status: offline
Re: FQDN Objects & IPv4 Policy 2018/02/22 04:35:16 (permalink)
0
Someone knows if it's possible use wilcard FQDN in policies with FortiOS 5.6?
#24
scerazy
Gold Member
  • Total Posts : 153
  • Scores: 0
  • Reward points: 0
  • Joined: 2009/12/22 14:09:01
  • Status: offline
Re: FQDN Objects & IPv4 Policy 2018/02/23 05:01:04 (permalink)
0
Do like this
It works fine, I use it all the time when I need to exempt some domain (for whatever reason)
 
edit:
It does NOT work. Such policy allows EVERYTHING OUT. The above blog is plain wrong or the guy tested on some version of FortiOS that behaved different
post edited by scerazy - 2018/03/28 22:23:13
#25
smashingly
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/19 17:00:52
  • Status: offline
Re: FQDN Objects & IPv4 Policy 2018/08/19 17:10:38 (permalink)
0
Scerazy, I've just tried that approach on a FW60E with 6.0.1 and it worked fine for me.  I took this approach:
 
  1. Attempt connection to outlook.office.com and google.com = fails
  2. Configure webfilter profile allowing 10 or so Microsoft wildcard FQDNs (e.g. *.microsoftonline.com etc) as specified by Microsoft help docs.
  3. Create policy allowing my test host (on LAN interface) to ANY (on WAN interface), with any service, with Web Filter enabled.
  4. Attempt connection to outlook.office.com = succeeds, I get auth page.  Attempt connection to google.com = fails.
It was a basic pretty quick test, but it proved to me that it's a workable solution.  My biggest pain-point is a large customer deployment where their Skype for Business servers need to talk to a gazillion Microsoft Office365 hosts, and people have deployed various wildcard FQDNs in various firewall rules believing that it works (but it doesn't, as we've all discovered in this forum!) - I have implemented a rule based on a gazillion address objects representing all the known Microsoft datacentre IP ranges for the regions in use by us (Australia East & SouthEast) which gets it working, but as Microsoft likes to reallocate their IP address ranges globally on a regular basis, it's risky and needs to be kept up to date.  I'm investigating webfilters as a way around that.  But what I'm curious about is whether webfilters work with applications that aren't web browsers (e.g. Skype for Business talking to an O365 server on port 443).  Is the Webfilter feature just a dynamically-updated IP address filter, or does it inspect traffic more than that, expecting to see http browser headers etc?   (in other words, if I was to try to push another protocol like RDP over tcp/443, would the webfilter approach still work?)
 
#26
sw2090
Gold Member
  • Total Posts : 172
  • Scores: 10
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: FQDN Objects & IPv4 Policy 2018/08/19 23:27:46 (permalink)
0
Just 4 Info: Fortinet TAC told me upon a ticket that you cannot use wildcards in webfilter rating overrides so I could imagine you cannot also use them in objects.
 
Also keep in mind: if you manage your FGT with a FMG there is a known bug in FMG v5.4 that affects wildcard url filter entries in their order!
#27
Page: < 12 Showing page 2 of 2
Jump to:
© 2018 APG vNext Commercial Version 5.5