https://live.paloaltonetworks.com/t5/general-topics/firewalls-is-not-resolving-domain-names-in-address-groups/m-p/524460#M108510 <P>Have you also tried/checked if the DNS server (also configured on firewall) is able to resolve the external domains?</P> <P>&nbsp;</P> <P>Regards,</P> Mon, 19 Dec 2022 10:33:12 GMT Arnesh 2022-12-19T10:33:12Z https://live.paloaltonetworks.com/t5/general-topics/firewalls-is-not-resolving-domain-names-in-address-groups/m-p/524455#M108507 <P><SPAN>For some odd reason the firewall is not resolving external fqdn's that are part of an Address groups..</SPAN></P> Mon, 19 Dec 2022 09:11:23 GMT https://live.paloaltonetworks.com/t5/general-topics/firewalls-is-not-resolving-domain-names-in-address-groups/m-p/524455#M108507 LimaSupport 2022-12-19T09:11:23Z https://live.paloaltonetworks.com/t5/general-topics/firewalls-is-not-resolving-domain-names-in-address-groups/m-p/524459#M108509 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/154359">@LimaSupport</a>&nbsp;</P> <P>&nbsp;</P> <P>Can you describe how do you confirm the firewall is unable to resolve the domains? Have you checked it from the GUI or CLI of firewall?&nbsp;</P> <P>Mostly, the reason for the firewall not able to resolve the FQDNs is due to the firewall unable to reach the DNS server.</P> <P>By default, mgmt interface is used to connect to the DNS server (but can be changed from <I>Device &gt; Setup &gt; Services &gt; Service Route Configuration</I>)</P> <P>You can check if the DNS server is reachable. T<SPAN>he CLI command below can then be used to view the list of FQDN objects and the IP addresses associated with that name.</SPAN></P> <UL> <LI>PAN-OS 8.1 and below:<STRONG>&nbsp;&gt; request system fqdn show</STRONG></LI> <LI>PAN-OS 9.1 and above:<STRONG>&nbsp;&gt; show dns-proxy fqdn all</STRONG></LI> </UL> <P>Alternatively, you can also check the FQDN resolution on the GUI by navigating to Address Objects &gt; Select the FQDN Address Object in question &gt; Click on 'resolve'.</P> <P>Please go through the below KBs, which can be of help:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHJCA0" target="_self">How to Configure and Test FQDN Objects</A><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POKrCAO" target="_self">DNSPROXY and FQDN address refresh behaviours - PANOS 9.0 and Above</A></P> <P>&nbsp;</P> <P>Regards,</P> Mon, 19 Dec 2022 10:31:33 GMT https://live.paloaltonetworks.com/t5/general-topics/firewalls-is-not-resolving-domain-names-in-address-groups/m-p/524459#M108509 Arnesh 2022-12-19T10:31:33Z https://live.paloaltonetworks.com/t5/general-topics/firewalls-is-not-resolving-domain-names-in-address-groups/m-p/524460#M108510 <P>Have you also tried/checked if the DNS server (also configured on firewall) is able to resolve the external domains?</P> <P>&nbsp;</P> <P>Regards,</P> Mon, 19 Dec 2022 10:33:12 GMT https://live.paloaltonetworks.com/t5/general-topics/firewalls-is-not-resolving-domain-names-in-address-groups/m-p/524460#M108510 Arnesh 2022-12-19T10:33:12Z