Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
scerazy
New Contributor III

Need to exempt access to www.msftconnecttest.com

FTG no matter what firmware version does not allow wildcard

This DNS entry resolves to a server farm *.c-msedge.net

 

And I need unrestricted access from any device on the network no matter what user web policies are

 

Any ideas?

 

Seb

21 REPLIES 21
rwpatterson
Valued Contributor III

Why not use FQDN? That should do it.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
scerazy
New Contributor III

Does it?

 

If it does then great

rwpatterson
Valued Contributor III

You tell me/us. Select that in the policy instead of IP address/subnet and let us know.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
scerazy
New Contributor III

Seems to work. Now if could only do the same with wildcard *.somednsname.com

 

Seb

dmcquade
New Contributor III

with firewall policies, you have to use FQDN. Wildcard FQDN objects are for use in security profiles. In your webfilter, enable URL filters and create an entry of type Wildcard and enter the URL (i.e. *.abcdomain.com). You can set the action to either exempt or allow. Make sure the status of the entry is enabled (default).

 

HTH

d

sw2090
Honored Contributor

you can use wildcards on a FGT. However you cannot use them in web rating overrides, that's officially not supported TAC told me once.

What you can do is use the url filter instead for it does support wildcards AND exempt.

Url-filter matches before rating overrides. So just inside your webfilter profile enable the url filter and create a rule for *.somednsname.com EXEMPT and it should work.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
scerazy
New Contributor III

That does NOT work as one would expect. ALL traffic goes out via such rule.

Totally idiotic!

Spend hours with L2 technician.

Simply unsupported (use wildcards in a way one most wants - unrestricted access from non authenticated machine(s) to *.something.net) in current FortiOS

 

edit

See post below (it need last URL *.* Block to work correctly)

dmcquade
New Contributor III

Your configuration or approach is most likely wrong. This works for numerous clients and installations I have deployed. See this link for an explanation on wildcard FQDN and why you can't use them in the destination:

http://kb.fortinet.com/kb/documentLink.do?externalID=FD35297

Use the URL filter within the Web Filter profile to make exceptions. I use this method all the time for machines that a client wants to restrict to a very specific set of URLs. You don't have to use categories, just enable URL filter and enter the list of allowed sites and at the end use a wildcard of *.* with an action of block. Very useful for servers that are required to reach out to public resources without exposing them to the rest of the Internet.

scerazy
New Contributor III

OK, it was me, missed the last URL of *.* Block

That makes sense & it should work. In which case Fortinet support is as dumb as many times previously

 

Seb

Labels
Top Kudoed Authors