Troubleshooting Tip: FQDN address object shows unresolved in GUI after upgrading to FortiOS v7.2.6 or v7.2.7

Lovepreet_Dhillon · ‎10-11-2023

Description

This article describes that in the Web GUI under Policy & Objects -> Addresses, all FQDN Address Objects may show unresolved 'Unresolved FQDN' when highlighted except for the wildcard FQDNs on v7.2.6 and v7.2.7 (no such issue on v7.2.5).

Scope

FortiGate v7.2.6, v7.2.7. This issue is expected to be fixed in FortiOS v7.2.8.

Solution

The issue is caused by a bug/regression introduced in v7.2.6 and v7.2.7, where the FortiGate Web GUI is not correctly displaying the list of IP addresses that an FQDN resolves to.

Screenshot (8).png

When checking from the CLI, the FortiGate will show the list of resolved IPs per FQDN Address object, indicating that it is resolving the FQDNs correctly.

The following commands can be used to check the FQDNs and their resolved IP addresses:

diagnose test application dnsproxy 6

vfid=0 name=gmail.com ver=IPv4 wait_list=0 timer=31 min_refresh=60 min_ttl=296 cache_ttl=0 slot=-1 num=1 wildcard=0
142.251.215.229 (ttl=296:284:284)
vfid=1 name=gmail.com ver=IPv4 wait_list=0 timer=31 min_refresh=60 min_ttl=5 cache_ttl=0 slot=-1 num=1 wildcard=0
142.251.215.229 (ttl=5:0:0)

diagnose firewall fqdn list-ip

fqdn_u 0x116330d7 gmail.com: type:(1) ID(218) count(1) generation(653) data_len:13 flag: 1
ip list: (1 ip in total)
ip: 142.251.215.229
Total ip fqdn range blocks: 1.
Total ip fqdn addresses: 1.

The following are some final points regarding this bug:

This issue is a cosmetic issue only and does not affect FortiGate’s functionality.
Clients behind the FortiGate will still be able to reach those FQDNs (assuming a policy existed beforehand to allow this traffic).
The FortiGate itself will also be able to resolve the FQDN properly, assuming DNS is also working correctly.