HTTP/HTTPS connections that should be accepted on a rule with 'Domain Object', do not pass through the Security Gateway.
Kernel debug (' fw ctl debug -m fw + drop ') shows: fw_log_drop_ex: Packet proto=6 ... dropped by fw_runfilter_ex Reason: F_INDOM;
fw ctl debug -m fw + drop
fw_log_drop_ex: Packet proto=6 ... dropped by fw_runfilter_ex Reason: F_INDOM;
The F_INDOM drop is a symptom for delay in the DNS reply when Domain Objects are configured in the Security policy.