Traffic Log query for FQDN object errors with "ip range [fqdn] expansion exceeds maximum number of items allowed"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Traffic Log query for FQDN object errors with "ip range [fqdn] expansion exceeds maximum number of items allowed"

L0 Member

I created a new FQDN object and added it to a security policy. 

After committing changes, I tried to validate the rule was working, but I get this error in the traffic log when searching for (addr in 'my-FQDN-object')

 

MatthewHale_0-1732120150610.png

The security policy rule is not working either. It should allow access to this FQDN address, but is not triggering

 

I can see the correct address in the palo FQDN cache (using show dns-proxy fqdn all). There's one IPv4 and one IPv6 result

I also verified the Palo was able to resolve the FQDN while creating the object

 

Any idea what I'm missing here?

Model: PA-850

2 REPLIES 2

L3 Networker

Hello @Matthew-Hale 

 

You're setting up an FQDN on an IP range object. I recommend choosing the FQDN object instead and trying again.

 

Regards

Jorge Pomachagua
PCNSE, PCNSC.

@jpomachagua These are FQDN objects, despite the error message text. From the running config:

address {
  my-FQDN-object {
    fqdn sftp.host-id.domain.com;
  }
}

 

Although I guess I'm not able to use those objects for searching traffic logs like I expected...

 

I made some other FQDN objects to test with, and those just say "invalid value" in the traffic monitor, which makes more sense. I'll have to investigate further why they're not matching in the rule

  • 282 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!