Not quite understanding the solution that you have but you have the following that is going to use dns.
The firewall ipv4 and ipv6 objects that can be enable as type FQDN and DNS filtering
With the former the fortigate looks up any object , caches the address that is matched to the FQDN rescoures type A , and if traffic matches that ip.address is permitted or deny based on the rule in your fortigate.
config firewall policy edit 10 set uuid 25bb47b4-17d7-51ec-af61-6b8089529356 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set dstaddr "www.example.com" set schedule "always" set service "ALL" set logtraffic all nextend SOCPUPFGT02 # diag firewall fqdn list | grep www.exwww.example.com: ID(49) ADDR(220.127.116.11) So in this case you need a working dns-server in order to resolve A and AAAA records to their respective ipv4 and ipv6 addresses. Also when you have multiple ip addresss for a single A record it will resolves all ipv4s e.g SOCPUPFGT02 # diag firewall fqdn list | grep login.windows.netlogin.windows.net: ID(140) ADDR(18.104.22.168) ADDR(22.214.171.124) ADDR(126.96.36.199) ADDR(188.8.131.52) ADDR(184.108.40.206) ADDR(220.127.116.11) ADDR(18.104.22.168) ADDR(22.214.171.124) supports-MacBook-Pro:Downloads ken$ host -t a login.windows.netlogin.windows.net is an alias for a.privatelink.msidentity.com.a.privatelink.msidentity.com is an alias for prda.aadg.msidentity.com.prda.aadg.msidentity.com is an alias for www.tm.a.prd.aadg.akadns.net.www.tm.a.prd.aadg.akadns.net has address 126.96.36.199www.tm.a.prd.aadg.akadns.net has address 188.8.131.52www.tm.a.prd.aadg.akadns.net has address 184.108.40.206www.tm.a.prd.aadg.akadns.net has address 220.127.116.11www.tm.a.prd.aadg.akadns.net has address 18.104.22.168www.tm.a.prd.aadg.akadns.net has address 22.214.171.124www.tm.a.prd.aadg.akadns.net has address 126.96.36.199www.tm.a.prd.aadg.akadns.net has address 188.8.131.52 On dns-filter, read the following https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/605868/dns-filter BTW all all modern firewalls works the same as the above.