Fortigate: How to allow (or deny) wildcard FQDN (Domains) in Policy

The answer is No. It won’t work.

As we all know, Wildcard FQDN firewall address should not be used in a firewall policy (Full details here). Simple explanation is that because the Firewall wont be able to query on to *.example.com when it tests the policy.

There, however is a workaround. Use WEB-POLICY.

In my scenario, I am controlling what my users will be able to access in the internet. This is a common setup for enterprise networks that uses a Web Proxy to control websites their users can access. I have a few trusted sites that I want my users to access even without a proxy. For the sake of simplicity in example, lets say I am allowing my users to access google.com even without a proxy.

On the policy, we can set an FQDN Address object for every site they can access. But as I mentioned, Wildcard FQDN firewall address should not be used in a firewall policy, therefore you will need to add each and every FQDNs (mail.google.com, maps.google.com, plus.google.com) or if there are too many FQDNs and you dont want to add  them one-by-one then apply this workaround.

Note that this is done on a Fortigate FortiOS 5.2

  1. Create a new Web Filter Profile. Under Security Profiles -> Web Filter -> Add0001

2. Give a name to your custom Web Filter.

Tick Fortiguard Categories, and set all Categories to “BLOCK” except for “custom1” and set it to “ALLOW”. The idea here is to deny any website and allow only those that will be listed in the “custom1” category.

0002.PNG

3. Set your policy as you would normally set it, make sure to set Service to only “HTTP/HTTPS” (if you are limiting web access like for this example) or also depends on whatever services are you controlling. Set Action to “ACCEPT”. (because  obviously if you set it to “Deny” there is no option to set NAT or Web Filter.. 🙂

Then enable Web Filter, and choose the profile you just created.

0003

4. Make sure you place the Policy at near bottom (as this should be of least priority) so as not to override any other relevant rules, particularly the rule that will allow proxy server to get to the internet. You dont want this rule to match first.

5. Access should now work to the allowed sites (in my case any subdomains within *.google.com) and all others will be denied.

Error page as below when I try to browse some website:

0004

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s