IPv4 Addresses
When creating an IPv4 address there are a number of different types of addresses that can be specified. These include:
- FQDN
- Geography
- IP Range
- IP/Netmask
- Wildcard FQDN
Which one chosen will depend on which method most easily yet accurately describes the addresses that you are trying to include with as few entries as possible based on the information that you have. For instance, if you are trying to describe the addresses of a specific company’s web server but it you have no idea of how extensive there web server farm is you would be more likely to use a Fully Qualified Domain Name (FQDN) rather than a specific IP address. On the other hand some computers don’t have FQDNs and a specific IP address must be used.
The following is a more comprehensive description of the different types of addresses.
FQDN Addresses
By using Fully Qualified Domain Name (FQDN) addressing you can take advantage of the dynamic ability of DNS to keep up with address changes without having to manually change the addresses on the FortiGate. FQDN addresses are most often used with external web sites but they can be used for internal web sites as well if there is a trusted DNS server that can be accessed. FQDN addressing also comes in handy for large web sites that may use multiple addresses and load balancers for their web sites. The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses used.
For example, if you were doing this manually and you wanted to have a security policy that involved Google you could track down all of the IP addresses that they use across multiple countries. Using the FQDN address is simpler and more convenient.
When representing hosts by an FQDN, the domain name can also be a subdomain, such as mail.example.com. Valid FQDN formats include:
- <host_name>.<top_level_domain_name> such as example.com
- <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com
When creating FQDN entries it is important to remember that:
- Wildcards are not supported in FQDN address objects
- While there is a level of convention that would imply it, “www.example.com” is not necessarily the same address of “example.com”. they will each have their own records on the DNS server.
The FortiGate firewall keeps track of the DNS TTLs so as the entries change on the DNS servers the IP address will effectively be updated for the FortiGate. As long as the FQDN address is used in a security policy, it stores the address in the DNS cache.
There is a possible security downside to using FQDN addresses. Using a fully qualified domain name in a security policy means that your policies are relying on the DNS server to be accurate and correct. DNS servers in the past were not seen as potential targets because the thinking was that there was little of value on them and therefore are often not as well protected as some other network resources. People are becoming more aware that the value of the DNS server is that in many ways it controls where users and computers go on the Internet. Should the DNS server be compromised, security policies requiring domain name resolution may no longer function properly.
Creating a Fully Qualified Domain Name address
1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address.
3. In the Category field, chose Address. (This is for IPv4 addresses.)
4. Input a Name for the address object.
5. In the Type field, select FQDN from the drop down menu.
6. Input the domain name in the FQDN field.
7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
9. Input any additional information in the Comments field.
10. Press OK.
Example
Example of a FQDN address for a remote FTP server used by Accounting team:
Field Value
Category Address
Name Payroll_FTP_server
Type FQDN
FQDN ftp.payrollcompany.com
Interface any
Show in Address
List [on]
Comments Third party FTP server used by Payroll.
Geography Based Addresses
Geography addresses are those determined by country of origin. This type of address is only available in the IPv4 address category.
Creating a Geography address
1. Go to Policy & Objects > Addresses.
2. Select Create New. A drop down menu is displayed. Select Address.
3. In the Category field, chose Address. (This is for IPv4 addresses.)
4. Input a Namefor the address object.
5. In the Type field, select Geography from the drop down menu.
6. In the Country field, select a single country from the drop down menu.
7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
9. Input any additional information in the Comments field.
10. Press OK.