Hot!Any luck with wildcard * from 6.2.2

Author
scerazy
Gold Member
  • Total Posts : 177
  • Scores: 2
  • Reward points: 0
  • Joined: 2009/12/22 14:09:01
  • Status: offline
2019/10/16 11:54:38 (permalink)
0

Any luck with wildcard * from 6.2.2

I was hoping that 10 years later Fortinet eventually managed to pull off the logical URL access with wildcards
So was really excited about 6.2.2. Upgraded today (it did actually fixed constantly broken SSL connections), but the URL wildcard seems to not work
 
All I need is a bunch of URLs that I allow all users to access, big or small, authenticated or not. Just everybody that hits the firewall.
One being ie *.abtutor.com
Simple rule from Lan to Internet, source any, destination this very FDQN address
 
Logged on workstation as local user (hence no SSO to kick in), expoected to be nicely presented with AB Tutor site
Instead all I got is Fortigate login page!
 
Anybody had any luck?
 
Seb
#1

3 Replies Related Threads

    AtiT
    Platinum Member
    • Total Posts : 472
    • Scores: 42
    • Reward points: 0
    • Joined: 2012/04/18 12:13:27
    • Location: Prague / Czech Republic
    • Status: offline
    Re: Any luck with wildcard * from 6.2.2 2019/10/16 15:11:24 (permalink)
    0
    Hello,
    The wildcard is working for me. This is something to do with DNS resolving as per docummentation:
    When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.
     
    I have a FortiGate in mode that the FortiGate provides DNS for clients on its local interfaces.
    Unfortunately this feature is not docummented as it should be. Should the FGT be the source DNS for the clients or the clients can access external DNS server directly and the FGT will update is FQDN table according to the DNS server response? How many IP addresses can be in the buffer (cached) for one wildcard FQDN?
    Why Fortinet does not give all the information about the features? ... and not only about the features.
    It is very hard to get some more detailed information about anything.
     
    If you want to see something like FortiGate 6.2.2 admin guide or handbook you will not find it. Only cookbook for 6.2.0. Why the admin guide/handbook does not exists anymore?
    Where is the 6.2.2 cookbook containing information about the wildcard policy object?
     
    Check the last Handbook for 6.0.6 FortiOS version. Very nice Hadbook where you can find information about the firewall objects.
    Nobody wants the handbook anymore?
    I cannot see the 6.2.2 handbook if some exists on the docs.fortinet.com.
     
    This is very sad :-(
     

    AtiT
    --------------------
    NSE 8, CCNP R+S
    #2
    boneyard
    Gold Member
    • Total Posts : 191
    • Scores: 8
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: online
    Re: Any luck with wildcard * from 6.2.2 2019/12/07 02:58:55 (permalink)
    0
    wildcard will never work on firewall policies for other then HTTP traffic (where it will work with a webfilter profile).
     
    think about it
     
    a regular layer 3 request doesn't care about a hostname. it requests an IP address. so there you already have a problem.
     
    now for regular DNS entries (A record, CNAME ...) you can create the FQDN object, which looks up the DNS entry and saves that. so on the layer 3 it still is an IP address which is compared by the FortiGate.
     
    this isnt a perfect solution either, specially when you have DNS entries which differ in regions or use internal DNS which your FortiGate can't reach.
     
    but *.something.org isn't something you can lookup, the wildcard can be every word and possible go down levels i.e. host.domain.domain.something.org. a DNS server isn't going to give you all possible IP addresses when you request *.
     
    so you are stuck here and this will never be possible. they might be able to do some tricks with looking at all DNS requests and actively add those, but that will only work if the fortigate sees the dns request.
    #3
    scerazy
    Gold Member
    • Total Posts : 177
    • Scores: 2
    • Reward points: 0
    • Joined: 2009/12/22 14:09:01
    • Status: offline
    Re: Any luck with wildcard * from 6.2.2 2019/12/09 03:31:20 (permalink)
    0
    wildcards *.something.??? work fine
    Ofcourse that is not magic, they are simply dynamic DNS entries
     
    But for simple sites it does work OK
     
    My original query was due to misconfiguartion !
    post edited by scerazy - 2019/12/09 03:33:07
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5