How does the FQDN Wildcard work?
Last modified on 8 Feb, 2022. Revision 7
How does the FQDN Wildcard work?
| Up to date for | 14.00.00 |
| Supported since | 12.00.10 |
| Status | OK |
Question:
I have applied a FQDN-Object with a wildcard as destination net in one of my IP-Policys. But currently the traffic wont match the rule and the traffic is dropped. If i remove the wildcard and input the whole FQDN-address everything works. Something must be wrong with the firewall.
Answer:
First we must go through how the FQDN Wildcard works in cOS Core.
To get the wildcards to work it needs a DNS-Profile applied to the DNS-policy, read more about this in the cOS Core Admin Guide, example for version 14.00.00 section 6.1.12. DNS ALG, page 640 and on page 193.
As the FQDN-objects with wildcard relies on DNS to work, there are some scenarios when the objects wont update with the correct address and the traffic will be blocked.
The FQDN Wildcard object is updated when a DNS query is made from the client, and if it matches the FQDN-object the IP will be added to the cache for that object on the firewall.
If the IP is already in the cache of the client, no DNS query will be made and the firewalls cache will remain empty as the Firewall will not receive any DNS queries from the client. This resulting in that policies/objects wont function properly as the Firewall lacks details about the resolved DNS entry.
This problem could be solved by flushing the clients DNS cache or use another client without this FQDN resolved. Another solution would be to have your own DNS server with a low TTL, so that you won’t end up in a situation where the clients have the resolved FQDN but it’s not present in the Firewall.
Related articles
Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
11 Jan, 2023 ipsec core vpn
How to approach FTPS (without opening too many ports)
22 Sep, 2021 core ftps sftp
22 Sep, 2021 core ftps sftp
IP blocked by IP reputation & IP reputation mechanics
23 Aug, 2022 core ipreputation
23 Aug, 2022 core ipreputation
Configuring multiple networks behind the same interface
21 Oct, 2022 core arp routing
21 Oct, 2022 core arp routing
Moving configurations between dissimilar NetWall hardware
1 Feb, 2023 core wizard hardware migration netwall
1 Feb, 2023 core wizard hardware migration netwall
Does cOS Core have support for Microsoft Azure?
25 Nov, 2022 core hyperv azure
25 Nov, 2022 core hyperv azure
Problem with ARP towards Wi-FI Access Points
9 Dec, 2022 arp core
9 Dec, 2022 arp core
When are changes made with the firewall WebUI/CLI synchronized with InControl?
14 Nov, 2022 incontrol cli core webui
14 Nov, 2022 incontrol cli core webui
How do I disable IP Reputation?
14 Dec, 2022 core
14 Dec, 2022 core
cOS Core 14.00 FAQ
10 Jan, 2023 arm x86 core
10 Jan, 2023 arm x86 core
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
23 Aug, 2022 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
23 Aug, 2022 sslvpn openconnect oneconnect android core
CSPN (Clavister Service Provisioning Network) details for license & database updates
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol
Why the setup Wizard in the WebUI is not always shown
19 Oct, 2022 core wizard setup
19 Oct, 2022 core wizard setup
Why does WireShark say that SNMPv3 traps sent from cOS Core are "snmpV2-trap"?
8 Sep, 2020 snmp core wireshark
8 Sep, 2020 snmp core wireshark
Swapping NetWall Ethernet interfaces using "Set interface Ethernet"
30 Mar, 2022 core ethernet netwall coscore
30 Mar, 2022 core ethernet netwall coscore
How to configure and use Stateless IP Policies
9 Dec, 2022 core stateless connections
9 Dec, 2022 core stateless connections
Certificate problem using SSL VPN together with MacOS version 11.1 and up
2 Feb, 2021 core sslvpn macos certificate
2 Feb, 2021 core sslvpn macos certificate
Unencrypted LDAP authentication problem towards Microsoft AD
31 Jan, 2023 ldap core authentication radius
31 Jan, 2023 ldap core authentication radius
Changing only the destination port, not the network using an IP Policy
26 Jan, 2023 core rules transpose
26 Jan, 2023 core rules transpose
How to use the same network on both sides of an IPsec tunnel
23 Nov, 2022 core ipsec
23 Nov, 2022 core ipsec
Server cluster generates UnsolicitedARPReplies in log (Gratuitous/GARP)
19 Feb, 2021 core arp
19 Feb, 2021 core arp
Using PCAP packet capture in cOS Core
7 Sep, 2022 core cli pcap netwall pcapdump
7 Sep, 2022 core cli pcap netwall pcapdump
Adjusting advanced cluster settings on larger installations
23 Aug, 2022 core ha cluster
23 Aug, 2022 core ha cluster
What happens when a NetWall license expires?
17 Oct, 2022 core license
17 Oct, 2022 core license
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
22 Mar, 2021 core ipsec routing
HA: disallowed_on_sync_iface log events with rule=HA_RestrictSyncIf for Reverse ARP, RARP, and IGMP
23 Aug, 2022 vmware log ha rarp arp core
23 Aug, 2022 vmware log ha rarp arp core
Where can I find the Clavister MIB?
24 Nov, 2022 core snmp
24 Nov, 2022 core snmp
A trusted webpage blocked by IP reputation
22 Jan, 2021 core ipreputation
22 Jan, 2021 core ipreputation
Placing HA cluster nodes in different physical locations
15 Apr, 2021 core brokenlink cluster
15 Apr, 2021 core brokenlink cluster
Using "all-nets" as source/destination network in IPsec tunnels
17 Jun, 2021 core ipsec routing
17 Jun, 2021 core ipsec routing
Gratuitous ARP and the CLI command "ifstat -restart <iface>"
23 Aug, 2022 core arp garp
23 Aug, 2022 core arp garp
Could not open outbound connection?
9 Mar, 2021 core ping connections
9 Mar, 2021 core ping connections
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
8 Apr, 2021 core sslvpn oneconnect interfaces arp
Identical NetWall routes causing network access loss after upgrade or restart
30 Nov, 2022 core routing
30 Nov, 2022 core routing
Using /31 network masks in cOS Core (RFC-3021)
1 Jun, 2022 core routing management
1 Jun, 2022 core routing management
Can blacklist timeouts (TTL,lifetime) for "Scanner Protection" or "Botnet Blocking" be changed or increased?
8 Sep, 2020 core ipreputation blacklist threatprevention
8 Sep, 2020 core ipreputation blacklist threatprevention
LogOpenFails and no_new_conn_for_this_packet log events.
23 Jun, 2021 core connections
23 Jun, 2021 core connections
Device initiated InControl management of NetWall HA clusters with a single public IP
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore
31 Mar, 2022 incontrol core netcon netwall ha cluster coscore
How to configure a Captive Portal in cOS Core
25 May, 2022 howto core authenticator authentication webauth captive
25 May, 2022 howto core authenticator authentication webauth captive
Allowing BGP messaging between cOS Core interfaces
25 Nov, 2022 core routing bgp
25 Nov, 2022 core routing bgp
Installing a SECaaS License on Virtual NetWall Firewalls
13 May, 2022 core license
13 May, 2022 core license
Using Multicast DNS with cOS Core
24 May, 2021 core howto mdns multicast transparentmode airprint igmp dns
24 May, 2021 core howto mdns multicast transparentmode airprint igmp dns
Solving HA nodes both going active/inactive at the same time
21 Apr, 2021 core cluster ha
21 Apr, 2021 core cluster ha
IPsec license usage calculation
14 Apr, 2021 core license ipsec
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
8 Sep, 2020 core ipsec rules access
Example setup script for x86 cOS Core under KVM
26 May, 2021 kvm core arm x86
26 May, 2021 kvm core arm x86
Partial split tunneling when using Windows L2TP/IPsec
27 Jan, 2023 ipsec core windows vpn l2tp
27 Jan, 2023 ipsec core windows vpn l2tp
Is it possible to change the Ethernet Ringsize buffers on Hyper-V?
25 Jan, 2022 core ethernet settings
25 Jan, 2022 core ethernet settings
The TCP Window Scale Log Event
15 Nov, 2022 tcp log core
15 Nov, 2022 tcp log core
Does the license throughput restriction apply on loopback interfaces?
28 Nov, 2022 core loopback license
28 Nov, 2022 core loopback license
Packet drops due to TCP Sequence numbers ("tcp_seqno_too_high" or "tcp_seqno_too_low")
6 Jul, 2021 core stream tcpsequence sequence stateless
6 Jul, 2021 core stream tcpsequence sequence stateless
Examining the WCF cache using "httpalg –wcfcache"
15 Nov, 2022 core cli
15 Nov, 2022 core cli
Problem with threshold rules and whitelist
2 Nov, 2022 core threshold
2 Nov, 2022 core threshold
Clavister SFP/SFP+ module compatibility
11 Apr, 2021 core sfp gbic hardware
11 Apr, 2021 core sfp gbic hardware
How do i set up a OneConnect VPN tunnel in cOS core
23 Aug, 2022 core oneconnect
23 Aug, 2022 core oneconnect
Changing the certificate used by the OneConnect client/server
28 Nov, 2022 core configuration oneconnect
28 Nov, 2022 core configuration oneconnect
Where to find information about which category a webpage belongs to (Web Content Filtering)
17 Oct, 2022 core wcf
17 Oct, 2022 core wcf
Connecting to an IPsec endpoint from behind the Firewall
1 Dec, 2022 ipsec core
1 Dec, 2022 ipsec core
How to adjust RX and TX ring sizes (queue lengths) of Ethernet interfaces
28 Oct, 2020 core howto ethernet packetloss cpu
28 Oct, 2020 core howto ethernet packetloss cpu
Is it possible to avoid interruptions on HA clusters during configuration deployment? (multiple questions)
14 Dec, 2022 ha core idp cli cluster antivirus configuration
14 Dec, 2022 ha core idp cli cluster antivirus configuration
Running cOS Core 14.00 on M1 based Apple Devices with QEMU
24 Nov, 2021 core arm kvm
24 Nov, 2021 core arm kvm
Details about the WebUI memory log (memlog)
20 Jan, 2023 core log webui memlog
20 Jan, 2023 core log webui memlog
Changing the certificate used by cOS Core's SSL VPN client/server
25 Nov, 2022 core configuration sslvpn management
25 Nov, 2022 core configuration sslvpn management
Automatically stop active PCAPdump or Logsnoop in the CLI
7 Dec, 2022 pcapdump log cli core logsnoop
7 Dec, 2022 pcapdump log cli core logsnoop
Using Clavister OneConnect Classic SSL VPN client towards the OneConnect server
29 Jun, 2021 core oneconnect
29 Jun, 2021 core oneconnect
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
7 Dec, 2022 ipsec ike troubleshoot core
Why some log category ID's are missing
23 May, 2022 core log logreceiver
23 May, 2022 core log logreceiver
IPsec: Does cOS Core support Pseudo-Random Functions (PRFs) according to RFC-4868?
14 Dec, 2022 core ipsec
14 Dec, 2022 core ipsec
Forward traffic to a second ISP using Virtual Routing or Policy Based Routing
23 Aug, 2022 howto core pbr routing netwall isp
23 Aug, 2022 howto core pbr routing netwall isp
NetWall virtual firewall creation under KVM on ARM
20 May, 2021 kvm core arm coscore netwall
20 May, 2021 kvm core arm coscore netwall
Application Control with Peer to Peer applications
1 Dec, 2022 applicationcontrol core
1 Dec, 2022 applicationcontrol core
Allowing Traceroute to and through cOS Core
23 Aug, 2022 core behaviour icmp ping traceroute
23 Aug, 2022 core behaviour icmp ping traceroute
How to exclude the default route (all-nets) from being exported to/from OSPF process
15 Dec, 2022 core routing ospf
15 Dec, 2022 core routing ospf
Ways of forwarding DNS queries from internal clients
6 Dec, 2022 core dns
6 Dec, 2022 core dns
Tips & tricks on how to troubleshoot problems related to high CPU load
7 Nov, 2022 core cpu troubleshoot
7 Nov, 2022 core cpu troubleshoot
QoS / Traffic Shaping: DiffServ tagging
3 Feb, 2023 core trafficshaping pipes tcp
3 Feb, 2023 core trafficshaping pipes tcp
"Disabling IPsec tunnel..." warning when deploying a configuration change
23 Aug, 2022 core ipsec license memory
23 Aug, 2022 core ipsec license memory
The meaning of the Default_Access_Rule log entry
7 Nov, 2022 core arp log routing
7 Nov, 2022 core arp log routing
Connecting firewalls to equipment that runs in active-active mode
18 Nov, 2022 core cluster
18 Nov, 2022 core cluster
How to setup a simple cloud-init environment for testing
30 Nov, 2020 howto core cloud-init dhcp
30 Nov, 2020 howto core cloud-init dhcp
Protecting against the Apache Log4j exploit
15 Dec, 2021 core idp ipreputation log4j
15 Dec, 2021 core idp ipreputation log4j
How does Clavisters version numbering system work?
28 Nov, 2022 core stream
28 Nov, 2022 core stream
What is a "zombie" connection?
24 Mar, 2021 core connections
24 Mar, 2021 core connections
Managing NetWall HA clusters over the Internet using one public IP
21 Jun, 2022 core ha hacluster netwall coscore slb
21 Jun, 2022 core ha hacluster netwall coscore slb
Assigning additional IPs to cOS Core Ethernet interfaces
7 May, 2021 core ethernet vlan arp garp
7 May, 2021 core ethernet vlan arp garp
Roaming Windows IKEv2 setup with NetWall as CA server
2 Dec, 2022 netwall ikev2 windows certificate vpn core
2 Dec, 2022 netwall ikev2 windows certificate vpn core
Allowing Path MTU discovery in cOS Core
10 Oct, 2022 core mtu netwall mtudiscovery
10 Oct, 2022 core mtu netwall mtudiscovery
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
23 Aug, 2022 core connections ipsec memory
Is Statless (FwdFast) faster than a normal IP policy?
27 Jan, 2021 core stateless routing brokenlink
27 Jan, 2021 core stateless routing brokenlink
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core
How to disable the read-only flag for InControl inherited objects
8 Jul, 2021 incontrol domains core
8 Jul, 2021 incontrol domains core
Radius vs LDAP for authentication
21 Nov, 2022 radius ldap authentication core
21 Nov, 2022 radius ldap authentication core
Configuring Split tunneling in L2TP/IPsec using an MS DHCP server
2 Dec, 2022 dhcp ipsec core
2 Dec, 2022 dhcp ipsec core