Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this solution

Cyber Elite
Cyber Elite



1. Why would the interzone-default rule become a part of the failed attempt to connect to the new rule

Because the new rule isn't properly matching the traffic. I would verify with the 'request system fqdn show' or ''show dns-proxy fqdn all' depending on your currently installed version of PAN-OS to verify that the firewall is actually properly resolving the FQDN object to the proper address.


2. Anyone know why connection fails with the FQDN set as destination rather than it's resolved IP address

99.8% of the time, this is due to the FQDN object either not refreshing properly or the rule not properly being built to accommodate for the traffic that's actually being seen by the firewall. Once you've verified the FQDN object is resolving properly, you'll want to test the rulebase entry and look at the recorded logs and make sure that your rulebase entry as configured properly accounts for the traffic. 

View solution in original post

Who Me Too'd this solution