You can configure an FQDN address object as a load-balanced FQDN.
You can
configure FQDN address objects as load-balanced
FQDNs to ensure comprehensive policy matching when application servers
use load-balanced DNS servers to distribute traffic. When you enable this feature,
the firewall maintains a complete list of resolved IP addresses for the FQDN, rather
than replacing the existing list with each DNS response. This addresses situations
where load-balanced DNS servers return only a subset of available IP addresses in
response to individual queries, which can cause policy rules to fail when matching
against IP addresses that were not included in the most recent DNS response.
You configure this functionality by enabling a new checkbox option in the FQDN
address object configuration. When you designate an FQDN as load-balanced, the DNS
proxy implements additional query logic to build and maintain the complete set of
resolved IP addresses. The system adds DNS retry events with progressive timing
intervals when it receives different IP addresses from those currently stored,
allowing it to discover the full range of IP addresses associated with the
load-balanced domain.
You would implement this feature when your network includes applications that rely on
load-balanced DNS infrastructure where complete visibility into all possible
destination IP addresses is critical for security policy enforcement. The feature
ensures that your security policies function correctly, regardless of which subset
of IP addresses the load-balanced DNS server returns for any individual query.
The feature maintains backward compatibility with existing FQDN configurations, and
you can selectively enable load-balanced DNS handling only for specific FQDN address
objects that require this behavior. The system limits each domain to a maximum of
100 IP addresses to manage memory usage effectively while supporting the vast
majority of load-balanced DNS implementations.