Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Aaron_Wrasman
Participant

Confusion on what is supported in R80.20+ for FQDN.

So we recently moved a few of our firewalls to R80.20+ (i.e. we are still upgrading to R80.30 from R80.20)

We are trying to start using the FQDN feature of domain objects for normal firewall traffic.

I'm trying to allow access to sftp and not a website.

If my destination is something like www.vanityname.net  and I can create a Domain object  like:

.vanityname.net and make sure the FQDN feature is checked.

Put that as the destination in a normal firewall rule and it works.

If I have a site like sftp.vanityname.net and I create:

.sftp.vanityname.net 

and make sure the FQDN feature is checked.

Put that as the destination in a normal firewall rule and it works sometimes.

Are only second level domains supported with the FQDN feature? (i.e. name.com  but not sub.name.com )

And to be very clear I'm not talking wildcard domain names.

 

0 Kudos
10 Replies
_Val_
Admin
Admin

@Aaron_Wrasman , .sftp.vanityname.net should work. If it does not, please try troubleshooting and/or opening a support call

Aaron_Wrasman
Participant

What would you suggest for troubleshooting?

 

0 Kudos
G_W_Albrecht
Legend
Legend

Open a SR# with TAC...

CCSE CCTE SMB Specialist
0 Kudos
Aaron_Wrasman
Participant

Did that. It isn't supported.
0 Kudos
Matthias_Haas
Advisor

you could test with

domains_tool -d sftp.vanityname.net 

on the cli of the GW to see which IPs that objects has (if any)

test it without the preceding period  and you may have to run this command a couple of times to get a result

 

0 Kudos
CPRQ
Collaborator

domain_tool did not give any IP, but dig command give the IP
[Expert@fwgb:2]# domains_tool -d 53.com
Domain is not attached to any IP address
[Expert@fwg-b:2]# dig @10.110.10.1 53.com
;; ANSWER SECTION:
53.com. 20 IN A 104.100.23.146

0 Kudos
CPRQ
Collaborator

If I did correctly, did not get IP with domain_tool command, but got the IP with dig command.
0 Kudos
Aaron_Wrasman
Participant

domains_tools is looking at the FQDN objects you have deployed in your policies on that particular gateway.

Do you have a domain object setup as .53.com and have the FQDN option turned on?

And then have that object in an enabled rule in your policies on that gateway?

CPRQ
Collaborator

Thank you, yes it worked when I pick object used in policy.
0 Kudos
_Val_
Admin
Admin

@Aaron_Wrasman name resolution for this specific object on your FW for starters

0 Kudos