FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 278559

This article describes that in the Web GUI under Policy & Objects -> Addresses, all FQDN Address Objects may show unresolved 'Unresolved FQDN' when highlighted except for the wildcard FQDNs on v7.2.6 and v7.2.7 (no such issue on v7.2.5). 

Scope FortiGate v7.2.6, v7.2.7. This issue is expected to be fixed in FortiOS v7.2.8.

The issue is caused by a bug/regression introduced in v7.2.6 and v7.2.7, where the FortiGate Web GUI is not correctly displaying the list of IP addresses that an FQDN resolves to. 

Screenshot (8).png


When checking from the CLI, the FortiGate will show the list of resolved IPs per FQDN Address object, indicating that it is resolving the FQDNs correctly.

The following commands can be used to check the FQDNs and their resolved IP addresses:

diagnose test application dnsproxy 6

vfid=0 ver=IPv4 wait_list=0 timer=31 min_refresh=60 min_ttl=296 cache_ttl=0 slot=-1 num=1 wildcard=0 (ttl=296:284:284)
vfid=1 ver=IPv4 wait_list=0 timer=31 min_refresh=60 min_ttl=5 cache_ttl=0 slot=-1 num=1 wildcard=0 (ttl=5:0:0)

diagnose firewall fqdn list-ip


fqdn_u 0x116330d7 type:(1) ID(218) count(1) generation(653) data_len:13 flag: 1
ip list: (1 ip in total)
Total ip fqdn range blocks: 1.
Total ip fqdn addresses: 1.


The following are some final points regarding this bug: 

  • This issue is a cosmetic issue only and does not affect FortiGate’s functionality.
  • Clients behind the FortiGate will still be able to reach those FQDNs (assuming a policy existed beforehand to allow this traffic). 
  • The FortiGate itself will also be able to resolve the FQDN properly, assuming DNS is also working correctly.