topic Re: "Not a valid FQDN or IP address" when changing FQDN of SAML portal in Firewall and Security Management

"Not a valid FQDN or IP address" when changing FQDN of SAML portal

AK2 — Tue, 14 Feb 2023 20:01:34 GMT

Hi,

In gateway settings -> Remote Access clients -> SAML Portal, when I change the SAML portal URL from https://workingdomain.co.nz/saml-vpn to https://not-workingdomain.com/saml-vpn I get the error "not a valid FQDN or IP address" even though workingdomain.co.nz and not-workingdomain.com both point to the same IP address.

1. what is doing the domain lookup for this, is it the gateway?

2. other than forward lookup fqdn -> ip address, what other "validity" checks are being performed before returning the error?

Cheers,

Andrew

Re: "Not a valid FQDN or IP address" when changing FQDN of SAML portal

the_rock — Tue, 14 Feb 2023 20:09:43 GMT

I believe for 1) it is gateway and 2) I dont know for sure what other checks are done, but here is what I do know. If I look up my portal on that gateway tab, it shows the following -> https://172.16.10.205/saml-vpn

That would be by default, as my main gateway IP is set as 172.16.10.205 and the rest is always there.

Can you show how yours is set? I would think as long as fqdn resolves to the same IP, there would be no reason for that error.

Re: "Not a valid FQDN or IP address" when changing FQDN of SAML portal

PhoneBoy — Tue, 14 Feb 2023 22:06:13 GMT

For SAML to work properly, the DNS names for the SAML portal must be resolvable by your clients.
This generally means the DNS name needs to be globally resolvable.
In this case, I believe the management is doing the name resolution check.

Re: "Not a valid FQDN or IP address" when changing FQDN of SAML portal

AK2 — Wed, 15 Feb 2023 02:28:02 GMT

Hi,

Thanks. In my case the gateway's external interface is private RFC 1918, NAT-ed behind a public IP (by a separate firewall)

Both workingdomain.co.nz and not-workingdomain.com (which are "made up" public domains) both resolve (using Google DNS 8.8.8.8) to the same public IP address which is then static-NAT-ed to the external address of the gateway.

Both the gateway and the manager are configured to use Google DNS and can successfully resolve both workingdomain.co.nz and not-workingdomain.com to the correct IP (same, public) IP address.

I am wondering what else it checks.

Cheers,

Andrew

Re: "Not a valid FQDN or IP address" when changing FQDN of SAML portal

the_rock — Wed, 15 Feb 2023 02:59:55 GMT

As phoneboy said, SAML fqdns must be resolvable for this to work by the client, otherwise it will not work. My colleague and I did this with 3rd party identity provider in our lab and worked like a charm. Key is really name being resolvable.

Re: "Not a valid FQDN or IP address" when changing FQDN of SAML portal

PhoneBoy — Wed, 15 Feb 2023 17:11:11 GMT

Can you provide a screenshot of the error message in question?
In any case, I recommend opening a TAC case on this if you haven’t already.

Re: "Not a valid FQDN or IP address" when changing FQDN of SAML portal

AK2 — Sun, 19 Feb 2023 07:38:57 GMT

Hi, Thanks for the help. Unfortunately the actual domains are a bit sensitive so can't post a screenshot. Sorry for delayed reply. I did raise a TAC case and it turns out that there needs to be two "."s in the FQDN.

Won't work (will trigger the error not a valid FQDN):

not-workingdomain.com (only one .)

anything.com (only one .)

Will work:

workingdomain.co.nz (two .) <- this one is misleading, for this case, but it works!

vpn.not-workingdomain.com (two .)

The hint is on page 41 of the Identity Awareness admin guide where it says it has to be "ID.mycompany.com".

Cheers,

Andrew

Re: "Not a valid FQDN or IP address" when changing FQDN of SAML portal

PhoneBoy — Mon, 20 Feb 2023 20:08:51 GMT

I wonder if .example.com might work?