Showing results for 
Search instead for 
Did you mean: 




We have added several FQDN objects and its not working. If we run


update.symantec.com (Objectname update.symantec.com):

Not resolved

us.archive.ubuntu.com (Objectname us.archive.ubuntu.com):

Not used

xxxxxxx (Objectname HOST_xxxx13):

Not resolved


2017/04/25 13:35:54 29960 FqdnRefresh FIN FAIL 13:36:04
2017/04/25 13:31:44 29959 FqdnRefresh FIN FAIL 13:31:53
2017/04/25 13:30:32 29958 WildFire FIN OK 13:30:34
2017/04/25 13:30:25 29957 Install FIN OK 13:30:32
2017/04/25 13:30:23 29956 Downld FIN OK 13:30:25
2017/04/25 13:24:28 29954 FqdnRefresh FIN FAIL 13:24:39
2017/04/25 13:15:33 29953 WildFire FIN OK 13:15:37
2017/04/25 13:15:25 29952 Install FIN OK 13:15:33


Why PA is getting errors in FQDN jobs?? we dont see any details or info. We can reach DNS servers and everything.



show jobs id 29959

Enqueued ID Type Status Result Completed

2017/04/25 13:31:44 29959 FqdnRefresh FIN FAIL 13:31:53


I would need a strong explanation to upgrade these FWs, not upgrading just in case. Anyway im going to replicate this issue in my lab...

Nothing in the release notes. Just a guess really but can you try to increase update interval to 10 minutes and check if auto refresh still fails. What is happening when you type test FQDN from the GUI:



In version 7.0.6 you cant see the resolve option in WebUI, you have to use CLI.

i tried to configure 10 minutes for refresh but the result is the same 😞



So when you pinging the FQDNs from the CLI all looks good, it just an auto-refresh doesn't work properly... Not sure if l have missed something simple. Are you able to report this to TAC?



admin@LukeSkywalker01(active)> ping host

i just check it in version 7.1 is working fine but not in 7.0.6 😞

I doubt TAC will touch a 7.0.6 install. the first thing they're going to recommend is upgrading to a newer version like 7.0.15, whether it's a known issue or not.

CCNA Security, PCNSE7

L6 Presenter

I believe it is still supported release as per EOL notes so they should investigate this properly unless we are missing something simple;0



I replicated same PanOS and host FQDN in my lab and its working fine. But i dont have FQDNrefresh FAILED. :S

Not sure it is possible to give a firewall data plane reboot or whole box reboot. To me, it is a software issue,  maybe some process stuck/crash at some point otherwise l do not have any other thoughts. I know it is not an ideal scenario but if possible give a go.  Then as a next step please get in touch with TAC and see what they will suggest. 

I have the exact same issue since upgrading to Panorama 8.0.2 it causes my firewalls no matter the model or OS to go to FQDN fail after a commit. I have an open TAC case but have not found a fix. We do have a work around as follows:


The only way to get it to work is to restart the the device-server, then do a force commit and then do a fqdn force refresh. 

pa5020-a(active)> debug software restart process device-server
pa5020-a(active)> configure
Entering configuration mode
pa5020-a(active)# commit force
pa5020-a(active)# exit
Exiting configuration mode
pa5020-a(active)> request system fqdn refresh force yes

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!