Operational Defect Database
BugZero found this defect 2056 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3bPSAQ
Policy by Domain Name configuration does not exclude private IP or Shared Address Space ranges
Last update date:
10/2/2018
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.0.x
12.1.x
12.1
12.1.1
12.1.3
12.10.x
12.2.x
12.3.x
12.4.x
Fixed releases:
All
Description:
Issue
When you configure a policy or other Firebox feature to use a domain name in place of an IP address, the resolved IP addresses may include IP addresses that are within the standard ranges for private IP addresses or Shared Address Space. If this occurs, your policy could cause network problems if the resolved IP addresses overlap with your internal network IP addresses. RFC reference information: RFC1918 private IP addresses: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 RFC6598 Shared Address Space: 100.64.0.0/10
Workaround/Solution
This issue does not occur if you add a custom address to the To field in which you specify the FQDN as destination and Any-External as the interface.
