By using Fully Qualified Domain Name (FQDN) addressing you can take advantage of the dynamic ability of DNS to keep up with address changes without having to manually change the addresses on the FortiGate. FQDN addresses are most often used with external web sites but they can be used for internal web sites as well if there is a trusted DNS server that can be accessed. FQDN addressing also comes in handy for large web sites that may use multiple addresses and load balancers for their web sites. The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses used.
For example, if you were doing this manually and you wanted to have a security policy that involved Google you could track down all of the IP addresses that they use across multiple countries. Using the FQDN address is simpler and more convenient.
When representing hosts by an FQDN, the domain name can also be a subdomain, such as mail.example.com.
Valid FQDN formats include:
- <host_name>.<top_level_domain_name> such as example.com
- <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com
When creating FQDN entries it is important to remember that:
- Wildcards are not supported in FQDN address objects
- While there is a level of convention that would imply it, “www.example.com” is not necessarily the same address of “example.com”. they will each have their own records on the DNS server.
The FortiGate firewall keeps track of the DNS TTLs so as the entries change on the DNS servers the IP address will effectively be updated for the FortiGate. As long as the FQDN address is used in a security policy, it stores the address in the DNS cache.
|There is a possible security downside to using FQDN addresses. Using a fully qualified domain name in a security policy means that your policies are relying on the DNS server to be accurate and correct. DNS servers in the past were not seen as potential targets because the thinking was that there was little of value on them and therefore are often not as well protected as some other network resources. People are becoming more aware that the value of the DNS server is that in many ways it controls where users and computers go on the Internet. Should the DNS server be compromised, security policies requiring domain name resolution may no longer function properly.
Creating a Fully Qualified Domain Name address
- Go to Policy & Objects > Addresses.
- Select Create New. A drop down menu is displayed. Select Address.
- In the Category field, chose Address. (This is for IPv4 addresses.)
- Input a Name for the address object.
- In the Type field, select FQDN from the drop down menu.
- Input the domain name in the FQDN field.
- In the Interface field, leave as the default any or select a specific interface from the drop down menu.
- Select the desired on/off toggle setting for Show in Address List. If the setting is enabled, the address will appear in drop down menus where it is an option.
- Input any additional information in the Comments field.
- Press OK.
Example: FQDN address
You have to great a policy that will govern traffic that goes to a site that has a number of servers on the Internet. Depending on the traffic or the possibility that one of the servers is down network traffic can go to any one of those sites. The consistent factor is that they all use the same Fully Qualified Domain Name.
- The FQDN of the web site: example.com
- The number of ISP connections off of the FortiGate firewall: 2
Configuring the address in the GUI
- Go to Policy & Objects> Objects > Addresses and select Create New > Address.
- Fill out the fields with the following information:
|Show in Address List
|<Input into this field is optional>
- Select OK.
Configuring the address in the CLI
config firewall address
set type fqdn
set associated-interface any
set fqdn bigwebsite.com
To verify that the addresses were added correctly:
- Go to Firewall Objects > Address > Addresses. Check that the addresses have been added to the address list and that they are correct.
- Enter the following CLI command:
config firewall address
edit <the name of the address that you wish to verify>