FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pachavez
Staff
Staff
Article Id 319297
Description This article describes how to remove the error message ‘This policy has the following issues: It is using unresolved FQDN(s). from Policy & Objects -> Firewall Policy.
Scope FortiGate v7.2.8.
Solution

In this example, the FQDN address ‘support.fortinet.com’ is applied to the destination address of the firewall policy.

 

On the GUI, go under Policy & Objects -> Firewall Policy, when using the FQDN address object, the error message shows: 'This policy has the following issues: It is using unresolved FQDN(s)'.

 

1.png

 

When checking on the FortiGate, the FQDN resolves correctly.

 

FG-VM # exe ping support.fortinet.com
PING support.fortinet.com (63.137.229.1): 56 data bytes

 

FG-VM # diagnose test application dnsproxy 6
worker idx: 0
vfid=0 name=support.fortinet.com ver=IPv4 wait_list=0 timer=59 min_refresh=60 min_ttl=360 cache_ttl=0 slot=-1 num=1 wildcard=0
63.137.229.1 (ttl=360:65:65)

 

FG-VM # diagnose firewall fqdn list-ip

 

fqdn_u 0x10d938c5 support.fortinet.com: type:(1) ID(80) count(1) generation(2) data_len:13 flag: 1
ip list: (1 ip in total)
ip: 63.137.229.1
Total ip fqdn range blocks: 1.
Total ip fqdn addresses: 1.

 

This is a cosmetic issue on GUI, under Policy & Objects -> Firewall Policy, it does not affect the functionality of the device since the FortiGate can resolve the FQDN.

 

Resolution:

To fix the error, create the Address Group object, then add the FQDN Address object ‘support.fortinet.com’ on the configured Address Group. After configuring the Address Group, apply this to the firewall policy.

 

  1. On the GUI, Go to Policy & Objects -> Addresses select 'Create New', select 'Address Group', enter 'Group name', on the Members, add the address 'support.fortinet.com' and select 'OK' to save the changes.

 

3.PNG

 

  1. Go to Firewall Policy, select the policy 'Fortinet', remove the address ‘support.fortinet.com’ then add the configured Address Group 'FQDN-Group' which includes the FQDN ‘support.fortinet.com’ and select 'OK' to save changes.

 

5.PNG

 

After changes are made, the error message should be gone.