Wildcard FQDN firewall address should not be used in a firewall policy
FortiGate v4.0 MR3
Although FortiOS will allow you to include a wildcard (*) when defining a firewall address of type FQDN, it is not recommended that such firewall addresses be used in a firewall policy.
To understand why wildcards should not be used for this purpose, consider how FQDN objects work in a Fortigate.
Fortigate creates an IP address table for all configured FQDNs.
config firewall address .... edit "cnn.com" set type fqdn set fqdn "cnn.com" next edit "www.cnn.com" set type fqdn set fqdn "www.cnn.com" next edit "*.cnn.com" set type fqdn set fqdn "*.cnn.com" next end
You can check this address table using the "diagnose firewall fqdn list" CLI command.
(root) # diagnose firewall fqdn list List all FQDN: *.cnn.com: ID(4) REF(1) www.cnn.com: ID(63) REF(1) ADDR(22.214.171.124) ADDR(126.96.36.199) ADDR(188.8.131.52) ADDR(184.108.40.206) ADDR(220.127.116.11) ADDR(18.104.22.168) ADDR(22.214.171.124) cnn.com: ID(172) REF(1) ADDR(126.96.36.199) ADDR(188.8.131.52)
This table is populated by performing a DNS query for each FQDN address. Consider how DNS resolution works for the FQDN objects in this example.