How Does Wildcard FQDN work?

For wildcard FQDN addresses to work, the FortiGate should allow DNS traffic to pass through. Clients behind the FortiGate should use the same DNS server(s) as the FortiGate to ensure the FortiGate and the clients are resolving to the same addresses. Initially, the wildcard FQDN object is empty and contains no addresses. When the client tries to resolve a FQDN address, the FortiGate will analyze the DNS response. The IP address(es) contained in the answer section of the DNS response will be added to the corresponding wildcard FQDN object with the TTL value in the response. How Does FQDN work? The FQDN works differently after creating an FQDN address FGT will get addresses populated since FGT will perform query to system DNS for gmail.com FQDN and populate IP addresses in the response under gmail.com also you can check from windows cmd what IP addresses and TTL are in the DNS replay considering window machine using DNS same as FGT system DNS. >nslookup -debug www.gmail.com Wild-Card FQDN Topology Client with FCT to FGT-SSLVPN SSL ----- FGT -----Public Network ----- FGT-SSLVPN----Network

X What are the Scenarios?

Senario1: Client would try to connect to the FGT-SSLVPN using FCT and will try to resolve domains within the wild card .google.com and will check the FGT-SSLVPN FQDN wild card address .google.com if it is populating resolved addresses for client DNS reolution or not also will check the TTL value the check would be when split tunnel is enabled and when its disabled.

Senario2:Will test how FGT will do DNS query for newly FQDN created address to get IP addresses populated. Senario1 X FGT-SSLVPN have FQDN wildcard address *.google.com as shown below.