Wildcard FQDN firewall address should not be used in a firewall policy
Products
FortiGate
FortiGate v4.0 MR3
FortiGate v5.0
FortiGate v5.2
Description
Although FortiOS will allow you to include a wildcard (*) when defining a firewall address of type FQDN, it is not recommended that such firewall addresses be used in a firewall policy.

Explanation:

To understand why wildcards should not be used for this purpose, consider how FQDN objects work in  a Fortigate.

Fortigate creates an IP address table for all configured FQDNs.
 
config firewall address
....
    edit "cnn.com"
        set type fqdn
        set fqdn "cnn.com"
    next
    edit "www.cnn.com"
        set type fqdn
        set fqdn "www.cnn.com"
    next
    edit "*.cnn.com"
        set type fqdn
        set fqdn "*.cnn.com"
    next
end

You can check this address table using the "diagnose firewall fqdn list"  CLI command.
 
(root) # diagnose firewall fqdn list
List all FQDN:
*.cnn.com: ID(4) REF(1)
www.cnn.com: ID(63) REF(1) ADDR(157.166.248.11) ADDR(157.166.249.10) ADDR(157.166.249.11) ADDR(157.166.248.10) ADDR(157.166.239.177) ADDR(157.166.238.48) ADDR(157.166.238.17)
cnn.com: ID(172) REF(1) ADDR(157.166.226.26) ADDR(157.166.226.25)

This table is populated by performing a DNS query for each FQDN address.  Consider how DNS resolution works for the FQDN objects in this example.

C:\Users\fortinet>nslookup www.cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cnn-56m.gslb.vgtf.net
Addresses:  157.166.248.10
          157.166.248.11
          157.166.249.10
          157.166.249.11
Aliases:  www.cnn.com
          www.cnn.com.vgtf.net

         
If we will query cnn.com instead of www.cnn.com, we will receive a different result:

C:\Users\fortinet>nslookup cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    cnn.com
Addresses:  157.166.226.25
          157.166.226.26

         
And if we will query *.cnn.com we will receive no results:

C:\Users\fortinet>nslookup *.cnn.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

*** google-public-dns-a.google.com can't find *.cnn.com: Non-existent domain
 

If the DNS server is unable to provide results, no IP will be added to the address table and consequently the configured wildcard FQDN will have no effect.

Alternate Solution:
A better place to use wildcards is when configuring a URL list (referenced in a webfilter profile).

The reason that wildcards work in a webfilter is that Fortigate can see host in a Host:  header in HTTP request, so no DNS resolution is needed.

Last Modified Date: 12-19-2014 Document ID: FD35297