Hello, had a quick issue today. We had traffic failing to match a rule where the destination object used in the rule was a FQDN Domain Object.
The reason for using a Domain Object here is that the destination is an Azure SQL Database using Public Endpoint, where the IP Address will change frequently. By using the Domain Object, we're able to permit the traffic no matter if the Public IP randomly changes or not. This is great, when it works.
When the traffic was not matching, we had to create a single IP Address/Host object to allow it as a work-around. Usually the traffic for this flow hits a different gateway cluster of ours, but due to some failover testing, the traffic was hitting a new gateway cluster. However, on this other cluster, we still have the same rule installed.
Now that the work around was in place I wanted to understand better what went wrong, so after doing some searching I found the command to troubleshoot domain objects is domains_tool (sk161632) and I proceed to log into the security gateway in question and using the domains_tool -d command for the FQDN in the object. The returned output was indeed "Domain is not attached to any IP Address."
I then tried to just ping the FQDN from the gateway, and it resolved to the expected IP address. Now when i ran the domains_tool -d command again right after doing the ping, now it is showing it bound to the expect IP Address?
Not sure if this is a job for TAC, or is any other simple troubleshooting we can do? I did confirm through logs that the domain resolved to 3 different IP Addresses in an hour, so maybe that threw things off a bit?