topic Traffic Log query for FQDN object errors with "ip range [fqdn] expansion exceeds maximum number of items allowed" in General Topics

Traffic Log query for FQDN object errors with "ip range [fqdn] expansion exceeds maximum number of items allowed"

Matthew-Hale — Wed, 20 Nov 2024 16:44:29 GMT

I created a new FQDN object and added it to a security policy.

After committing changes, I tried to validate the rule was working, but I get this error in the traffic log when searching for (addr in 'my-FQDN-object'):

The security policy rule is not working either. It should allow access to this FQDN address, but is not triggering

I can see the correct address in the palo FQDN cache (using show dns-proxy fqdn all). There's one IPv4 and one IPv6 result

I also verified the Palo was able to resolve the FQDN while creating the object

Any idea what I'm missing here?

Model: PA-850

Re: Traffic Log query for FQDN object errors with "ip range [fqdn] expansion exceeds maximum number of items allowed"

jpomachagua — Thu, 21 Nov 2024 20:02:47 GMT

Hello @Matthew-Hale

You're setting up an FQDN on an IP range object. I recommend choosing the FQDN object instead and trying again.

Regards

Re: Traffic Log query for FQDN object errors with "ip range [fqdn] expansion exceeds maximum number of items allowed"

Matthew-Hale — Thu, 21 Nov 2024 22:41:25 GMT

@jpomachagua These are FQDN objects, despite the error message text. From the running config:

address { my-FQDN-object { fqdn sftp.host-id.domain.com; } }

Although I guess I'm not able to use those objects for searching traffic logs like I expected...

I made some other FQDN objects to test with, and those just say "invalid value" in the traffic monitor, which makes more sense. I'll have to investigate further why they're not matching in the rule