05-16-2020 06:57 PM
Questions:
1. Why would the interzone-default rule become a part of the failed attempt to connect to the new rule
Because the new rule isn't properly matching the traffic. I would verify with the 'request system fqdn show' or ''show dns-proxy fqdn all' depending on your currently installed version of PAN-OS to verify that the firewall is actually properly resolving the FQDN object to the proper address.
2. Anyone know why connection fails with the FQDN set as destination rather than it's resolved IP address
99.8% of the time, this is due to the FQDN object either not refreshing properly or the rule not properly being built to accommodate for the traffic that's actually being seen by the firewall. Once you've verified the FQDN object is resolving properly, you'll want to test the rulebase entry and look at the recorded logs and make sure that your rulebase entry as configured properly accounts for the traffic.
