Operational Defect Database
BugZero found this defect 747 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000O7BeSAK
SD-WAN handles zero-routed BOVPN traffic incorrectly in Fireware v12.8.x
Last update date:
5/20/2022
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.8.x
Fixed releases:
v12.9
Description:
Issue
In Fireware v12.8.x, SD-WAN actions are incorrectly applied to traffic that emerges from a BOVPN tunnel and is destined for an external network. Affected connections fail to establish and you see one or more of these symptoms: Traffic is always routed out the first external interface, regardless of which interface is defined in SD-WANDynamic NAT is not applied to outbound trafficIncorrect src_nat_ip value in connection log messagesConnections are denied with tcp syn checking failed
Workaround/Solution
There are two workarounds for this issue: Disable SD-WAN on all policies that handle traffic sourced from BOVPN networks.Use a VIF-based VPN.
