Since about 4 days I am experiencing a critical problem in relation to policy rules with address objects and suspect an update to address/region objects has caused this mess as I am experiencing this issue with: - manually added address objects - predefined country regions - dynamic address groups (based on tags- even if the address group is empty it is treated by the FW as if every host is in the group, like 0.0.0.0/0) Those rules have been working flawlessly for months. I am running 9.0.3-h3 on this lab device and already have a opened a support case. The following pictures describe the problem best. The only change I have made was creating an address object (yet unused) named 0.0.0.0/0 with the same network range which should not cause the problem at all, except if there is a unknown bug... I already have confirmed via CLI that it is not a problem with the web gui (contents of address objects, region etc.). I also recreated affected rules which does not solve the problem. After those exceptions I have set a catch-all rule for decryption of any other traffic. Problem is, traffic does not make to the catch-all since the rule erroneously catches everything when address objects are assigned.
... View more