Question:
I have applied a FQDN-Object with a wildcard as destination net in one of my IP-Policys. But currently the traffic wont match the rule and the traffic is dropped. If i remove the wildcard and input the whole FQDN-address everything works. Something must be wrong with the firewall.
Answer:
First we must go through how the FQDN Wildcard works in cOS Core.
To get the wildcards to work it needs a DNS-Profile applied to the DNS-policy, read more about this in the cOS Core Admin Guide, example for version 14.00.00 section 6.1.12. DNS ALG, page 640 and on page 193.
As the FQDN-objects with wildcard relies on DNS to work, there are some scenarios when the objects wont update with the correct address and the traffic will be blocked.
The FQDN Wildcard object is updated when a DNS query is made from the client, and if it matches the FQDN-object the IP will be added to the cache for that object on the firewall.
If the IP is already in the cache of the client, no DNS query will be made and the firewalls cache will remain empty as the Firewall will not receive any DNS queries from the client. This resulting in that policies/objects wont function properly as the Firewall lacks details about the resolved DNS entry.
This problem could be solved by flushing the clients DNS cache or use another client without this FQDN resolved. Another solution would be to have your own DNS server with a low TTL, so that you won’t end up in a situation where the clients have the resolved FQDN but it’s not present in the Firewall.
Related articles
11 Jan, 2023 ipsec core vpn
13 Sep, 2024 core
15 Jan, 2024 dictionary troubleshoot core stream incontrol incenter oneconnect cloudservice
10 Mar, 2023 core vpn ikev2 windows radius certificate
24 Mar, 2023 core ipsec ippool dhcp
22 Sep, 2021 core ftps sftp
23 Aug, 2022 core ipreputation
17 Feb, 2023 license core
26 Apr, 2023 core rules
4 Apr, 2023 core tls alg https
21 Oct, 2022 core arp routing
12 Apr, 2023 core proxyarp arp ipsec routing
1 Feb, 2023 core wizard hardware migration netwall
25 Nov, 2022 core hyperv azure
9 Dec, 2022 arp core
14 Nov, 2022 incontrol cli core webui
21 Mar, 2023 core ipreputation log
18 Jan, 2024 arm x86 core
18 Mar, 2024 core certificate oneconnect ipsec vpn
4 Apr, 2023 core vmware highavailability ha promiscuous
24 Apr, 2023 core legacy activedirectory radius userauth
23 Aug, 2022 sslvpn openconnect oneconnect android core
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol
19 Oct, 2022 core wizard setup
8 Sep, 2020 snmp core wireshark
16 Mar, 2023 core incontrol statistics rules
30 Mar, 2022 core ethernet netwall coscore
2 May, 2023 core rules schedule applicationcontrol
4 Apr, 2023 core stateless connections
9 Feb, 2024 core oneconnect windows splittunneling dns
2 Feb, 2021 core sslvpn macos certificate
11 Apr, 2023 ldap core authentication radius
26 Jan, 2023 core rules transpose
23 Nov, 2022 core ipsec
19 Feb, 2021 core arp
7 Sep, 2022 core cli pcap netwall pcapdump
23 Aug, 2022 core ha cluster
21 Feb, 2023 ipsec certificate windows ca core
17 Oct, 2022 core license
22 Mar, 2021 core ipsec routing
23 Aug, 2022 vmware log ha rarp arp core
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
16 Apr, 2024 core routing ospf ipsec
24 Nov, 2022 core snmp
7 Sep, 2023 core ipreputation
15 Apr, 2021 core brokenlink cluster
17 Jun, 2021 core ipsec routing
23 Aug, 2022 core arp garp
16 Feb, 2023 core ssh sshpublickey management
9 Mar, 2021 core ping connections
5 Mar, 2021 sslvpn openconnect oneconnect linux core
4 Apr, 2023 core pcap pcapdump wireshark
8 Apr, 2021 core sslvpn oneconnect interfaces arp
30 Nov, 2022 core routing
1 Jun, 2022 core routing management
8 Mar, 2023 core l2tp ipsec
8 Sep, 2020 core ipreputation blacklist threatprevention
23 Jun, 2021 core connections
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore
12 Apr, 2023 howto core authenticator authentication webauth captive
20 Feb, 2023 core vpn ipsec
25 Nov, 2022 core routing bgp
16 Oct, 2024 core license
24 May, 2021 core howto mdns multicast transparentmode airprint igmp dns
4 Aug, 2023 core ipsec troubleshoot ike
14 Apr, 2021 core license ipsec
8 Sep, 2020 core ipsec rules access
23 Jan, 2024 core howto certificate management letsencrypt
26 May, 2021 kvm core arm x86
29 Mar, 2023 ipsec core windows vpn l2tp
25 Jan, 2022 core ethernet settings
4 Nov, 2024 oidc core authentication
15 Nov, 2022 tcp log core
22 Apr, 2024 core idp security antivirus wcf
11 Apr, 2023 core loopback license
2 Dec, 2024 core stream tcpsequence sequence stateless
10 Oct, 2024 sase oneconnect core userauth
15 Nov, 2022 core cli
2 Nov, 2022 core threshold
27 Feb, 2024 oneconnect userbased core
7 Feb, 2024 core sfp gbic hardware
23 Aug, 2022 core oneconnect
28 Nov, 2022 core configuration oneconnect
8 Mar, 2023 core wcf
5 Apr, 2023 ipsec core
28 Oct, 2020 core howto ethernet packetloss cpu
20 Feb, 2023 ha core idp cli cluster antivirus configuration
24 Nov, 2021 core arm kvm
27 Mar, 2023 core log webui memlog
25 Nov, 2022 core configuration sslvpn management
7 Dec, 2022 pcapdump log cli core logsnoop
29 Jun, 2021 core oneconnect
7 Dec, 2022 ipsec ike troubleshoot core
23 May, 2022 core log logreceiver
14 Dec, 2022 core ipsec
16 Oct, 2023 howto core pbr routing netwall isp
6 Apr, 2023 core radius authentication
20 May, 2021 kvm core arm coscore netwall
20 Mar, 2024 arm x86 core kvm vmware hyperv
27 Mar, 2023 applicationcontrol core
23 Aug, 2022 core behaviour icmp ping traceroute
5 Apr, 2023 core nps ipsec radius legacy
15 Dec, 2022 core routing ospf
14 Mar, 2023 core ipsec vpn ikev2 certificate
11 Apr, 2023 core dns
16 Apr, 2024 core cpu troubleshoot
6 Feb, 2023 core trafficshaping pipes tcp
5 May, 2023 core idp
23 Aug, 2022 core ipsec license memory
19 Apr, 2023 core hyperv serial console log
7 Nov, 2022 core arp log routing
15 Mar, 2023 core ipsec ipv6
17 Feb, 2023 core ha cluster transparentmode l2tpv3
18 Nov, 2022 core cluster
30 Nov, 2020 howto core cloud-init dhcp
15 Dec, 2021 core idp ipreputation log4j
28 Nov, 2022 core stream
24 Mar, 2021 core connections
21 Jun, 2022 core ha hacluster netwall coscore slb
6 Apr, 2023 core ripv2 routing
7 May, 2021 core ethernet vlan arp garp
22 May, 2024 netwall ikev2 windows certificate vpn core
17 Mar, 2023 core routing rules ping icmp cli
10 Oct, 2022 core mtu netwall mtudiscovery
23 Aug, 2022 core connections ipsec memory
14 Mar, 2023 core console
27 Jan, 2021 core stateless routing brokenlink
4 Aug, 2023 core tcp
23 Feb, 2023 core troubleshoot cluster ha
13 Feb, 2023 ipsec core routing failover
13 Feb, 2023 core url httpposter
18 Apr, 2023 core routing transparentmode proxyarp
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core
8 Jul, 2021 incontrol domains core
21 Nov, 2022 radius ldap authentication core
28 Mar, 2023 dhcp ipsec core