BugZero found this defect 649 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
8/10/2022
No affected products provided.
Any/Unknown
All
For a site-to-site VPN between two Fireboxes that run Fireware v12.8.x, reply traffic is unexpectedly allowed from an internal network behind one Firebox to an internal network behind the other Firebox even though a route is not explicitly defined for the reply traffic. For example, you configure a BOVPN virtual interface connection from a Firebox at Site A to a Firebox at Site B. You configure a BOVPN virtual interface connection from the Firebox at Site B to the Firebox at Site A. At each site, the Firebox protects two internal networks: a Trusted network and a Guest network. The BOVPN virtual interface configuration at Site A includes a route to the Site B Trusted network, but not to the Guest network. The BOVPN virtual interface configuration at Site B includes a route to the Site A Trusted network, but not to the Guest network. Traffic initiated on the Site B Guest network and destined for the Site A Trusted network is allowed, which is expected because the BOVPN virtual interface configuration on the Site B Firebox specifies this route. However, reply traffic from the Site A Trusted network to the Site B Guest network is also allowed, which is not expected because the BOVPN virtual interface configuration on the Site A Firebox does specify that reverse route.
Locally-managed FireboxesExclude the virtual interface from the BOVPN allow policies and create individual policies.Cloud-managed FireboxesDisable the BOVPN allow system policies and create any policies that you require for your VPN traffic.