Fortigate: How to allow (or deny) wildcard FQDN (Domains) in Policy

 

Does wildcard FQDNs work in policies? The answer is No. 

But there is other way to allow wildcards through.

As we all know, Wildcard FQDN firewall address should not be used in a firewall policy (Full details here). Simple explanation is that because the Firewall wont be able to query on to *.example.com when it tests by the policy.

There, however is a workaround. Use WEB-POLICY.

In my scenario, I am controlling what my users will be able to access in the internet. This is a common setup for enterprise networks that uses a Web Proxy to control websites their users can access. I have a few trusted sites that I want my users to access even without a proxy. For the sake of simplicity in example, lets say I am allowing my users to access google.com even without a proxy.

On the policy, we can set an FQDN Address object for every site they can access. But as I mentioned, Wildcard FQDN firewall address should not be used in a firewall policy, therefore you will need to add each and every FQDNs (mail.google.com, maps.google.com, plus.google.com) or if there are too many FQDNs and you dont want to add  them one-by-one then apply this workaround.

Note that this is bit buggy for Fortigate FortiOS 5.2 but works well for the later versions.

  1. Create a new Web Filter Profile. Under Security Profiles -> Web Filter -> Add0001

2. Give a name to your custom Web Filter.

Tick to enable URL Filter, and populate the list of sites with you wish to allow. In creating an entry for wildacrd, set the type to “Wildcard” and type the URL with asterisk to denote as wildcard, for example, *.google.com. So any sites within the *.google.com such as maps.google.com etc, is covered. Set action to “Allow”.

wildcard

Remember to add a default deny rule at the bottom of the list

URL = *.*

Type = WIldcard

Action: Deny

 

 

3. Set your policy as you would normally set it, make sure to set Service to only “HTTP/HTTPS” (if you are limiting web access like for this example) or also depends on whatever services are you controlling. Set Action to “ACCEPT”. (because  obviously if you set it to “Deny” there is no option to set NAT or Web Filter.. 🙂

Then enable Web Filter, and choose the profile you just created.

0003

*Best practice, is to create a new object policy for all. and rename it to soemthing like “ALL-with Web Filter” applied so at quick look at the policy it would’nt appear as an allow-all, security Profiles are often overlooked.

4. Make sure you place the Policy at near bottom (as this should be of least priority) so as not to override any other relevant rules, particularly the rule that will allow proxy server to get to the internet. You dont want this rule to match first.

5. Access should now work to the allowed sites (in my case any subdomains within *.google.com) and all others will be denied.

Error page as below when I try to browse some website, not allowed in my policy.

0004

 

 

 

5 thoughts on “Fortigate: How to allow (or deny) wildcard FQDN (Domains) in Policy

  1. I’m no longer sure where you are getting your info, but great topic. I needs to spend some time finding out much more or working out more. Thanks for wonderful information I used to be looking for this information for my mission.

    Like

  2. Great blog here! Additionally your website lots up fast! What host are you the use of? Can I get your affiliate link in your host? I wish my website loaded up as fast as yours lol

    Like

  3. DO you know if there is a way to stop telnet connections as well. So for exmple browsing to msn.com is blocked through browser but I am still able to telnet to msn.com on 443

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s