By using Fully Qualified Domain Name (FQDN) addressing you can take advantage of the dynamic ability of the service to keep up with address changes without having to manually change the addresses on the FortiGate. FQDN addresses are most often used with external web sites but they can be used for internal web sites as well if there is a trusted DNS server that can be accessed. FQDN addressing also comes in handy for large web sites that may use multiple addresses and load balancers for their web sites. The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses used.
For example, if you were doing this manually and you wanted to have a security policy that involved Google you could track down all of the IP addresses that they use across multiple countries. Using the FQDN address is simpler and more convenient.
When representing hosts by an FQDN, the domain name can also be a subdomain, such as mail.example.com.
Valid FQDN formats include:
- <host_name>.<top_level_domain_name> such as example.com
- <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com
When creating FQDN entries it is important to remember that:
- Wildcards are not supported in FQDN address objects
- While there is a level of convention that would imply it, “www.example.com” is not necessarily the same address of “example.com”. they will each have their own records on the DNS server.
The FortiGate firewall keeps track of the DNS TTLs so as the entries change on the DNS servers the IP address will effectively be updated for the FortiGate. As long as the FQDN address is used in a security policy, it stores the address in the DNS cache.
|There is a possible security downside to using FQDN addresses. Using a fully qualified domain name in a security policy means that your policies are relying on the DNS server to be accurate and correct. DNS servers in the past were not seen as potential targets because the thinking was that there was little of value on them and therefore are often not as well protected as some other network resources. People are becoming more aware that the value of the DNS server is that in many ways it controls where users and computers go on the Internet. Should the DNS server be compromised, security policies requiring domain name resolution may no longer function properly.|
Creating a Fully Qualified Domain Name address
- Go to Policy & Objects > Objects > Addresses.
- Select Create New.
- If you use the down arrow next to Create New, select Address.
- Choose the Category, “Address”.
- Input a Name for the address object.
- Select the TypeFQDN from the dropdown menu.
- Input the domain name in the FQDN field.
- Select the Interface from the dropdown menu.
- Check the Visibility box.
- Input any additional information in the Comments field.
- Press OK.
Example of a FQDN address for a remote FTP server used by Accounting team:
|Comments||Third party FTP server used by Payroll.|