Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

FQDN not working vs Resolved IP address

L1 Bithead

I created a new FQDN address object to facilitate a new Policy(rule).

 When tested the FQDN resolves internal to the Palo Alto Firewall.

The rule contains one destination address which is the new FQDN

The rule contains one source address

Application SSL with Application-Default Service

Action Allow


When attempts are made to connect  to this destination via the new rule with the FQDN set(destination), the traffic is denied(fails) and logs point to(identify) the "interzone-default" rule instead of the "new rule" that is set up to facilitate this connection 


But when I replace the FQDN(destination) with it's resolved IP in the new rule, it works fine(allowed) and logs point the occurrence to the "new rule" (not the interzone-default) as to be expected since that is normal behavior 


  1. Why would the interzone-default rule become a part of the failed attempt to connect to the new rule
  2. Anyone know why connection fails with the FQDN set as destination rather than it's resolved IP address
  3. As anyone had a similar experience

Thanks in advance.

Who Me Too'd this topic