Hello,

i have a FW policy rule that allow traffic flow based on address object with type FQDN

match based on FQDN "*.taobao.com"

-when i start browsing main page is opening normally

-when i start clicking on random sections , some of them is re-directed to alibaba CDN *.alicdn.com which is not included in FW policy address 

-so i added *.alicdn.com also to address group to be matched

-blockage reduced significantly but still see some traffic not matched by the FW policy , and web site performance become very slow

-up on checking found that FQDN address is not populated with all DNS queries customer do

example if opened item.taobao.com , will be dropped , i have to manually do Nslookup inside windows CMD , then IP will be populated inside Fortigate , then customer will be able to browse it

-Note there is no proxy server used

-if IP of subdomain is not included here , traffic destined will be dropped

diagnose test application dnsproxy 6

vfid=1 name=*.taobao.com ver=IPv4 wait_list=0 timer=0 min_refresh=60 min_ttl=12 cache_ttl=0 slot=-1 num=9 wildcard=1

         47.246.99.148 (ttl=300:189:189) 47.246.138.134 (ttl=120:10:10) 123.183.232.83 (ttl=86:18:18) 47.246.177.10 (ttl=117:87:87) 47.92.44.90 (ttl=59:30:30)

         47.246.182.10 (ttl=114:105:105) 59.82.120.242 (ttl=47:41:41) 59.82.39.254 (ttl=251:248:248) 47.246.181.10 (ttl=232:231:231)

i already matched customer DNS with Foritgate DNS as recommendation on previous Fortinet KB article , but didn't solve the issue