Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Confusion on what is supported in R80.20+ for FQDN.

So we recently moved a few of our firewalls to R80.20+ (i.e. we are still upgrading to R80.30 from R80.20)

We are trying to start using the FQDN feature of domain objects for normal firewall traffic.

I'm trying to allow access to sftp and not a website.

If my destination is something like www.vanityname.net  and I can create a Domain object  like:

.vanityname.net and make sure the FQDN feature is checked.

Put that as the destination in a normal firewall rule and it works.

If I have a site like sftp.vanityname.net and I create:

.sftp.vanityname.net 

and make sure the FQDN feature is checked.

Put that as the destination in a normal firewall rule and it works sometimes.

Are only second level domains supported with the FQDN feature? (i.e. name.com  but not sub.name.com )

And to be very clear I'm not talking wildcard domain names.

 

0 Kudos
10 Replies
Highlighted
Admin
Admin

@Aaron_Wrasman , .sftp.vanityname.net should work. If it does not, please try troubleshooting and/or opening a support call

Highlighted

What would you suggest for troubleshooting?

 

0 Kudos
Highlighted
Sapphire

Open a SR# with TAC...

0 Kudos
Highlighted

Did that. It isn't supported.
0 Kudos
Highlighted

you could test with

domains_tool -d sftp.vanityname.net 

on the cli of the GW to see which IPs that objects has (if any)

test it without the preceding period  and you may have to run this command a couple of times to get a result

 

0 Kudos
Highlighted
Iron

domain_tool did not give any IP, but dig command give the IP
[Expert@fwgb:2]# domains_tool -d 53.com
Domain is not attached to any IP address
[Expert@fwg-b:2]# dig @10.110.10.1 53.com
;; ANSWER SECTION:
53.com. 20 IN A 104.100.23.146

0 Kudos
Highlighted
Iron

If I did correctly, did not get IP with domain_tool command, but got the IP with dig command.
0 Kudos
Highlighted

domains_tools is looking at the FQDN objects you have deployed in your policies on that particular gateway.

Do you have a domain object setup as .53.com and have the FQDN option turned on?

And then have that object in an enabled rule in your policies on that gateway?

Highlighted
Iron

Thank you, yes it worked when I pick object used in policy.
0 Kudos
Highlighted
Admin
Admin

@Aaron_Wrasman name resolution for this specific object on your FW for starters

0 Kudos