Operational Defect Database
BugZero found this defect 488 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000Bc94SAC
Firebox drops traffic sourced from a second External interface as a spoofing attack
Last update date:
1/26/2023
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.9.x
Fixed releases:
v12.9.2
Description:
Issue
In multi-WAN environments, inbound connections from IP addresses in the subnet range of one external interface will be dropped as IP spoofing if received on any other external interface. The Drop Spoofing Attacks feature cannot distinguish a truly spoofed address in a packet from packets sent from a network designed with asymmetric routes. In most cases, the Firebox must block asymmetric routed packets to make sure that it can fully scan the connection requests and responses with subscription services and with its stateful inspection policies. When the asymmetric routing is detected between two external networks, the Firebox is unaffected and can fully process the request and response without issue.Fireware versions lower than v12.9 allowed this type of asymmetric routing when the Drop Spoofing Attacks feature is enabled. For more information, see About Spoofing Attacks in Fireware Help.
Workaround/Solution
Review the subnet masks assigned to all external interfaces. In some cases, external interfaces are configured with subnet masks that include IP addresses associated with other external networks. Review routing tables on external routers. It is possible that an incorrect route on an upstream router causes one network's local connections to arrive on the incorrect external interface.If you need to allow incoming connections from IP addresses in a subnet of a different external network: In Policy Manager, go to Setup > Default Threat Detection > Default Packet Handling, and clear the Drop Spoofing Attacks check box.In Fireware Web UI, go to Firewall > Default Packet Handling, and clear the Drop Spoofing Attacks check box. About Spoofing Check Behavior Changes and BOVPN Virtual InterfacesSpoofing checks also apply to BOVPN Virtual Interfaces. If you do not have virtual interface IP addresses configured, the traffic appears to come from the public IP of the remote endpoint, and the Firebox might detect it as a spoofing attack. Configure BOVPN virtual interface IP addresses to prevent this issue. For more information, go to Configure BOVPN Virtual Interface IP Addresses.
