Using wildcard FQDN addresses in firewall policies
You can use wildcard FQDN addresses in firewall policies.
The firewall policy types that support wildcard FQDN addresses include IPv4, IPv6, ACL, local, shaping, NAT64, NAT46, and NGFW.
When the wildcard FQDN gets the resolved IP addresses, FortiOS loads the addresses into the firewall policy for traffic matching.
To create a wildcard FQDN using the GUI:
- Go to Policy & Objects > Addresses and click Create New > Address.
- Specify a Name.
- For Type, select FQDN.
- For FQDN, enter a wildcard FQDN address, for example,
*.fortinet.com
. - Click OK.
To use a wildcard FQDN in a firewall policy using the GUI:
- Go to Policy & Objects > IPv4 Policy and click Create New..
- For Destination, select the wildcard FQDN.
- Configure the rest of the policy as needed.
- Click OK.
In this example, policy ID 2 uses the wildcard FQDN:
To create a wildcard FQDN using the CLI:
config firewall address edit "test-wildcardfqdn-1" set uuid 7288ba26-ce92-51e9-04c0-39c707eb4519 set type fqdn set fqdn "*.fortinet.com" next end
To use wildcard FQDN in a firewall policy using the CLI:
config firewall policy edit 2 set uuid 2f5ffcc0-cddc-51e9-0642-ab9966b202dd set srcintf "port3" set dstintf "port1" set srcaddr "all" set dstaddr "test-wildcardfqdn-1" set action accept set schedule "always" set service "ALL" set auto-asic-offload disable set nat enable next end
To use the diagnose command to list resolved IP addresses of wildcard FQDN objects:
diagnose firewall fqdn list List all FQDN: *.fortinet.com: ID(48) ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210) *.google.com: ID(66) ADDR(172.217.14.238) login.microsoftonline.com: ID(15) ADDR(40.126.7.64) ADDR(40.126.7.65) ADDR(40.126.7.66) ADDR(40.126.7.97) ADDR(40.126.7.99) ADDR(40.126.7.100) ADDR(40.126.7.101) ADDR(40.126.7.103)
To use the diagnose command for firewall policies which use wildcard FQDN:
diagnose firewall iprope list 100004 policy index=2 uuid_idx=46 action=accept flag (8050108): redir nat master use_src pol_stats flag2 (4200): no_asic resolve_sso flag3 (20): schedule(always) cos_fwd=255 cos_rev=255 group=00100004 av=00004e20 au=00000000 split=00000000 host=3 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 dd_type=0 dd_mode=0 zone(1): 11 -> zone(1): 9 source(1): 0.0.0.0-255.255.255.255, uuid_idx=0, destination fqdn or dynamic address (1): *.fortinet.com ID(48) uuid_idx=57 ADDR(208.91.114.104) ADDR(208.91.114.142) ADDR(173.243.137.143) ADDR(65.104.9.196) ADDR(96.45.36.210) service(1): [0:0x0:0/(0,0)->(0,0)] helper:auto