fqdn in destination address field, is wrongly treated as an ip range.

[keisari-ch]

Describe the bug

Hi guys, im trying to establish a base code configuration with a bunch of rules. Basically, i may have to use adresses with IP Netmask and FQDN's types (and URL Categories when i have to deal with some wildcards) in the security policies.

Basically the whole terraform side "seems" ok because i can easily apply the objects, and rule groups configuration to the target device groups on panorama, and the panorama commit is successful.

The problem is when i push de configuration to the devices (which here, are the Cloud NGFW appliances on Azure).

Below is the state description of an example rule which fails :

     {
        "action" = "allow"
        "applications" = toset([
          "any",
        ])
        "audit_comment" = ""
        "categories" = toset([
          "any",
        ])
        "data_filtering" = ""
        "description" = <<-EOT
        allow runner pods to access gitlab
        Source configuration file : /DG_NGFW/security_policies/post-rulebase/201.cloudplatform/r_cloudplatform_azfw.yml
        EOT
        "destination_addresses" = toset([
          "cdn.artifacts.gitlab-static.net",
          "gitlab.com",
        ])
        "destination_devices" = toset([
          "any",
        ])
        "destination_zones" = toset([
          "Public",
        ])
        "disable_server_response_inspection" = false
        "disabled" = false
        "file_blocking" = ""
        "group" = ""
        "group_tag" = ""
        "hip_profiles" = toset([])
        "icmp_unreachable" = false
        "log_end" = true
        "log_setting" = ""
        "log_start" = true
        "name" = "aks-runners-gitlab"
        "negate_destination" = false
        "negate_source" = false
        "negate_target" = false
        "schedule" = ""
        "services" = toset([
          "tcp-443",
        ])
        "source_addresses" = toset([
          "10.132.12.0/23",
          "10.132.24.0/22",
        ])
        "source_devices" = toset([
          "any",
        ])
        "source_users" = toset([
          "any",
        ])
        "source_zones" = toset([
          "Private",
        ])
        "spyware" = ""
        "tags" = tolist([
          "azure-firewall",
          "tf-managed",
        ])
        "target" = toset([])
        "type" = "universal"
        "url_filtering" = ""
        "uuid" = "6780e6f3-170d-458f-b256-31d24d51dc42"
        "virus" = ""
        "vulnerability" = ""
        "wildfire_analysis" = ""
      },

When i push the whole configuration to the 3 appliances, i get this error :

All of this despite the configuration being apparently ok :

Expected behavior

Well, that should be pushed without any errors :blush:

Current behavior

Apply/Panorama Commit ok / Push to device fails

Possible solution

No idea

Steps to reproduce

Create an address with type fqdn (as im typing, the name = fqdn, i will try with an alt name). Create a rule using the fqdn object Push to Cloud NGFW Device

Screenshots

Above

Context

This is part of a migration from a managed solution to a hub & spoke architecture on Azure using the palo managed service

[keisari-ch]

We can workaround this issue checking the following option in panorama settings :

"Share Unused Address and Service Objects with Devices"

Which is obviously a problem because of the limits difference between the managed devices on this panorama environment (hardware appliances versus cloud ngfw).

Created a case on the CSP.