I will say in general they work well for us - I am sure however that we also in some cases have broad firewall rules somewhere below in the rule base catching any missing IP missed by the Updateable Objects.

Some pitfalls we see, where some are listed directly, and some are implicit demands due to architecture:

- Are your outbound internet firewall using the same dns server as clients? If not, there could be cache/geo issues with lookups.

- Is it even the same firewall, the client and internet firewalls? Updateable Objects often contain wildcard fqdns. This requires DNS passive learning to work. If the firewalls are different there is no way to share Updatable Object information between them. A low key solution is to enable passive learning on both, and hope that your dns servers does not use DoH, DoT, or DNSCrypt. But how is sync between the two firewalls ensured? and how do you measure it? Is FQDN resolved to cache at the same time for the two firewalls?

So in conclusion for clients asking the answer I give is always - It works, (maybe always?). Which is of course not the best answer in the world.

Regards,

Henrik

From all I had seen in R81.20 and R82, they are very accurate.

Andy