Troubleshooting Tip: Searching for the IP which FQDN is resolved to in the address field

Situation: Traffic to a specific destination IP (162.219.225.118) is being blocked by a firewall policy. The assumption from the FortiGate administrator is that this IP is not configured as a destination in that firewall policy.
In the firewall policy, Amazon.com is configured as an FQDN. The first check that is done is to search for that IP in the Addresses in the GUI. 

Configuration is as follows:

Example:

1. Configure FQDN for www.amazon.com
    

config firewall address

    edit "amazon"

        set type fqdn

        set fqdn "www.amazon.com"

    next

end

2. Check this from the GUI. Select amazon.com, then select 'View matched addresses' to see to which IP this FQDN has resolved.
   
   

3. As an example, search with the IP 162.219.225.118 in Addresses. 
   
   

There will be no results displayed. This is expected behavior.

The IP can be checked from the CLI with the following command: 

diagnose firewall fqdn list-ip

diagnose firewall fqdn list-ip
fqdn_u 0x55b71af083b1 www.amazon.com: type:(1) ID(80) count(3) generation(12) data_len:26 flag: 1
ip list: (1 ip in total)
ip: 162.219.225.118
ip list: (1 ip in total)
ip: 3.160.204.148
ip list: (1 ip in total)
ip: 2.20.90.151
Total ip fqdn range blocks: 3.
Total ip fqdn addresses: 3.

Related article:

Troubleshooting Tip: How to verify the FDQN IP address in DNS cache