Helpful ReplyHot!Policy - Destination - Wildcard FQDN

Author
SecurityPlus
Gold Member
  • Total Posts : 376
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
2020/10/14 13:30:43 (permalink)
0

Policy - Destination - Wildcard FQDN

Using FortiOS 6.0.9. Need to run backups to a cloud server destination (*.domain.com). Was going to add an IPv4 policy with this address as the destination to exempt this traffic from normal antivirus, web filtering, DNS, etc. evaluation. I see that there is a Wildcard FQDN Address list. I created the address in this section but I can not list this address as the destination in the policy. I see that Wildcard FQDN Addresses are to be used in SSL exemptions and should not be used as source or destination addresses in policies. I can't be the first person to have this as a requirement. Is there a good workaround?
 
I think I noticed tat newer firmware versions have this ability but I was trying to wait until the 6.2 and 6.4 versions became more mature but before upgrading.
post edited by SecurityPlus - 2020/10/14 13:51:48

FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#1
sw2090
Expert Member
  • Total Posts : 790
  • Scores: 58
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Policy - Destination - Wildcard FQDN 2020/10/15 02:25:38 (permalink) ☄ Helpfulby SecurityPlus 2020/10/17 19:15:33
0
As far as I remember (but I might be wrong here) this is not supported in 6.0 but was implementert with 6.2. But you might have to take a look at the 6.2 release notes as I am not 100% sure.
 
#2
SecurityPlus
Gold Member
  • Total Posts : 376
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Policy - Destination - Wildcard FQDN 2020/10/15 20:59:15 (permalink)
0
Thanks! What was the best way to handle this pre FortiOS 6.2? Was it necessary to specify FQDN without using wildcards?
 
Instead of:
*.domain.com
 
This might involve:
www.domain.com
domain.com
ftp.domain.com
server.domain.com

FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#3
lobstercreed
Platinum Member
  • Total Posts : 320
  • Scores: 37
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Policy - Destination - Wildcard FQDN 2020/10/16 06:39:56 (permalink)
0
Yes, that's the "right" way.  When I opened a TAC case about this a couple years ago it was explained to me that this was simply impossible, which made sense to me, so I'm extremely curious (and somewhat dubious) about how they're accomplishing this post 6.2  (I did test on my 6.4.2 env and it seems to work).
 
The point being made to me when TAC said it was impossible was, how can I, a humble user/network possibly find all subdomains of a domain?  I can't query for every word/non-word in the English language and most domains don't allow a zone transfer, soo...how could it even be done? 
 
The "address" is the layer 3/IP address part of the packet, so any domain has to be translated to the IP to determine if it should match, so you have to know what to look up.  That's totally different than when you're using a wildcard to inspect the SSL or HTTP headers for a web filter, which is why wildcard FQDNs could be used in that context.  So I am sitting here, still confused...if anyone can explain that would be great.
#4
emnoc
Expert Member
  • Total Posts : 5800
  • Scores: 383
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Policy - Destination - Wildcard FQDN 2020/10/16 08:20:18 (permalink)
0
Lobstercreed 
 
Your correct that would not be feasible and at worst  you would tack the firewall in trying to multiple populate A records in the local dns-cache, eating memory and cpu.
 
 
next, if you tried to be creative and place a wildcard that will net you nothing; since the firewall would think you are looking for a A record with the name asterisk in it
 
e.g
 
edit "widlcard-hp.com"
set uuid 7dd39438-0fc2-51eb-94dd-2343bd0f9186
set type fqdn
set fqdn "*.hp.com"
next


 
 
The local-dns cache can be reviewed  via cli-cmd "diag firewall fqdn list" fwiw and to validate fqdn resolution. If you really need to use a wildcard, you would need to build a fqdn list or something and apply that into the rule. 
 
just my 2cts thoughts and observations
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#5
SecurityPlus
Gold Member
  • Total Posts : 376
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Policy - Destination - Wildcard FQDN 2020/10/16 12:25:39 (permalink)
0
So if a trusted vendor asks us to whitelist *.domain.com and does not provide the non-wildcard FQDN addresses, and the firewall FortiOS does not support wildcard FQDN names in IPv4 policies, is there a workaround?

FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#6
lobstercreed
Platinum Member
  • Total Posts : 320
  • Scores: 37
  • Reward points: 0
  • Joined: 2018/11/28 14:57:58
  • Location: Sedalia, MO
  • Status: offline
Re: Policy - Destination - Wildcard FQDN 2020/10/16 12:33:13 (permalink)
0
It depends on what you take "whitelist" to mean.  I take it to mean "don't block me in your web filters or spam filters" and that's easy enough to do.  I would assume you have a general rule allowing at least HTTP/HTTPS traffic to all addresses, and maybe a web filter profile attached to that.  Whitelist them in that web filter, but it's not like you'd be crafting a special policy to allow XYZ ports to any and all hosts on some domain (or vice versa).
 
Any application that requires special ports open should be able to provide a list of IPs or FQDNs that the application reaches out to. If not, well....you have to open it to all hosts or monitor the traffic and figure out what it's doing for them -- because that is the network guy's job...to know how everything else works *sigh*
#7
emnoc
Expert Member
  • Total Posts : 5800
  • Scores: 383
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Policy - Destination - Wildcard FQDN 2020/10/16 13:55:59 (permalink)
0
Agreed
 
Also if the sites are to be whitelist the vendor probably can provide a list of the domains hostnames. I'm working with a hosting provider that provide us the syntax of the hosted webserver even thought  50% of them are not up. So we have a FQDN list 
 
  web{XXX}.customerdomain.com
 
And I built a fqdn address objects that we push to the fortigate for all 1000 seq# 000-999, so if they add any server with that name, it's allowed and I do not have to go back and touch the policy.
 
FWIW I do not know of one firewall vendor that allows a wildcard dns-name ( FTNT JNPR CHKP PANW etc....) They use address-list, or webfilter rules for example.
 
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#8
SecurityPlus
Gold Member
  • Total Posts : 376
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/11 18:41:34
  • Status: offline
Re: Policy - Destination - Wildcard FQDN 2020/10/17 19:08:03 (permalink)
0
Thanks everyone! I finally got the list of FQDN's so that the wildcard should not be necessary.

FWF30E, FG40F, FG50E, FWF50E, FG60D, FWF60D, FG60E, FG60F, FG80E, FG100D
FortiOS 5.2, 5.4, 5.6, 6.0, 6.2, and 6.4
FortiSwitch FS-224E-POE
FAP-221E, FAP-221C
#9
Jump to:
© 2020 APG vNext Commercial Version 5.5