Issues when FQDN used in policy match:
VOS does not support match based on IP and FQDN in Security policies, SD-WAN policies, Decryption policies.
Following table depicts the unsupported combination of IP address and FQDN in policy:
Source | Destination | Supported? |
IP, FQDN | Any | No |
Any | IP, FQDN | No |
IP | FQDN | No |
FQDN | IP | No |
IP | IP | Yes |
FQDN | FQDN | Yes |
IP | Any | Yes |
Any | IP | Yes |
FQDN | Any | Yes |
Any | FQDN | Yes |
Even when FQDN is used in policy where it is supported in VOS, there are some concerns such as below:
FQDN can be configured with regex and that leads many combinations of FQDNs. VOS has to keep resolving IP address for all these combinations of FQDNs. If someone configures FQDN similar to below, it will be many FQDNs for which VOS has to periodically resolving IP:
Also, if DNS server used by VOS is different than customer(if customer devices is not using DNS proxy on VOS), there could be mismatch. VOS will resolve FQDN to IP based on DNS servers configured in VOS. Customer devices will resolve FQDN to IP based on DNS servers configured on customer devices.
Solution:
Instead of FQDN, use URL string or URL pattern in policy with any combinations of IP and other matching criteria. URL strings and URL patterns scale better than FQDN since there is no need to resolve IP address for FQDNs.
Please refer following documents for using URL string, URL pattern and URL category in policies: