Operational Defect Database
BugZero found this defect 649 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S0000007lPjSAI
Reply traffic unexpectedly allowed for BOVPN virtual interface connection with no reverse route for the traffic
Last update date:
8/10/2022
Affected products:
No affected products provided.
Affected releases:
Any/Unknown
Fixed releases:
All
Description:
Issue
For a site-to-site VPN between two Fireboxes that run Fireware v12.8.x, reply traffic is unexpectedly allowed from an internal network behind one Firebox to an internal network behind the other Firebox even though a route is not explicitly defined for the reply traffic. For example, you configure a BOVPN virtual interface connection from a Firebox at Site A to a Firebox at Site B. You configure a BOVPN virtual interface connection from the Firebox at Site B to the Firebox at Site A. At each site, the Firebox protects two internal networks: a Trusted network and a Guest network. The BOVPN virtual interface configuration at Site A includes a route to the Site B Trusted network, but not to the Guest network. The BOVPN virtual interface configuration at Site B includes a route to the Site A Trusted network, but not to the Guest network. Traffic initiated on the Site B Guest network and destined for the Site A Trusted network is allowed, which is expected because the BOVPN virtual interface configuration on the Site B Firebox specifies this route. However, reply traffic from the Site A Trusted network to the Site B Guest network is also allowed, which is not expected because the BOVPN virtual interface configuration on the Site A Firebox does specify that reverse route.
Workaround/Solution
Locally-managed FireboxesExclude the virtual interface from the BOVPN allow policies and create individual policies.Cloud-managed FireboxesDisable the BOVPN allow system policies and create any policies that you require for your VPN traffic.
