Issues when FQDN used in policy match:
VOS does not support matching based on IP and FQDN in security policies, SD-WAN policies, and decryption policies.
The following table depicts the unsupported combination of IP address and FQDN in policy:
Source | Destination | Supported? |
IP, FQDN | Any | No |
Any | IP, FQDN | No |
IP | FQDN | No |
FQDN | IP | No |
IP | IP | Yes |
FQDN | FQDN | Yes |
IP | Any | Yes |
Any | IP | Yes |
FQDN | Any | Yes |
Any | FQDN | Yes |
Even when FQDN is used in a policy where it is supported in VOS, there are some concerns such as below:
FQDN can be configured with regex and that leads to many combinations of FQDNs. VOS has to keep resolving IP addresses for all these combinations of FQDNs. If someone configures FQDN similar to below, it will be many FQDNs for which VOS has to periodically resolve IPs:
Also, if DNS server used by VOS differs from the customer (if customer devices are not using the DNS proxy on VOS), there could be a mismatch. VOS will resolve FQDN to IP based on DNS servers configured in VOS. Customer devices will resolve FQDN to IP based on DNS servers configured on the customer devices.
Solution:
Instead of FQDN, use URL string or URL pattern in policy with any combination of IP and other matching criteria. URL strings and URL patterns scale better than FQDN since there is no need to resolve IP addresses for FQDNs.
Enhancement-ID: 142312
Description: Adds an "unsupported-policy-rule" alarm to alarms_local that fires when a policy rule may not match as intended.
Fix-Release: 22.1.4 (build date 2026-03-03 or newer)
P.S.: Director must be on version 22.1.4-20260303 or later to modify the default alarm behaviour from the alarms config in the template or appliance context in the UI.
Please refer following documents for using URL string, URL pattern and URL category in policies: