Upgrade to UTM 9.601-5 firmware doesn't start FW NAT rules on boot

Hi,

I got information from my UTM that a new firmware 9.601-5 was available. I installed it and after reboot I discover that all my NAT rules where not activated ! I had to go on each one and disable/enable them to get back the working setup :(

I did it with some of them and then reboot the UTM: again rules where not applied. Disable/enable them and evrything is OK.

For some rules I didn't apply the "automatic firewall rules" in GUI but had create myself the FW rules: those NAT rules where activated. But for NAT rules with forwarding ports to other physical hosts but *not the host himself and the VMs running on it where the UTM lies* doesn't matter which setup (manual or automatically), I have to activate "automatic FW rules" and disable/enable the rules to get them working.

No need to say that prior firmware versions didn't had this problem.

Does anyone face the same problem and confirm?

Daniel

  • Daniel Huhardeaux

    [...] But for NAT rules with forwarding ports to other physical hosts but *not the host himself and the VMs running on it where the UTM lies* doesn't matter which setup (manual or automatically), I have to activate "automatic FW rules" and disable/enable the rules to get them working.

    This point is solved, I did a mistake in my FW rules for those destinations, sorry for the noise.

    Daniel

     

  • In reply to Daniel Huhardeaux:

    Hello Daniel,

    I have the same problem and it's pretty annoying. Did you have any feedback about this?

    Regards,

    DeltaSM

  • In reply to DeltaSM:

    It's rare, but sometimes the Up2Date process "breaks" something in the configuration databases.  I've only experienced this twice in my client base in well over a decade.

    The first thing to try is to restore the backup made prior to the last application of Up2Dates.  That worked immediately in one case.  In the other, two extra reboots solved the problem.  The reboots may have been all that was necessary, but restoring a configuration backup is virtually instantaneous and not disruptive.

    Did that fix your issue?

    Cheers - Bob

  • In reply to DeltaSM:

    A case is open at Sophos France, I have no reply from them.

    Daniel

  • In reply to BAlfson:

    Hi Bob,

    on the UTM I face this problem -I stopped to upgrade others till problem is not solved- I modify the setup by creating myself the fw rules and disable the automatic rule creation form NAT tab.

    Daniel

  • In reply to BAlfson:

    Problem is I can't restart easily as this UTM is in production environment.

    I also sent a support case. I will send you information once I've got news from Sophos.

  • In reply to DeltaSM:

    Hello Daniel,

    Did you have any feedback about this issue?

    I just upgraded to last firmware (9.602-3) and the issue is still present.

    : maybe I can try to load an old config but I would not prefer to do this... Maybe deleting and recreating could fix this issue?

  • In reply to DeltaSM:

    Hello DeltaSM,

    no news from support :( and I confirm that problem is still existing with 9.602-3. Will contact them again.

    Daniel

  • In reply to Daniel Huhardeaux:

    Hello Daniel,

    It seems that we're in the same situation. Can you keep me in touch if you have any news?

    Are you French? We come from Belgium and could give you our email address in private to exchange some information if needed.

    This problem is very annoying Sophos !

    Regards,

    DeltaSM

  • In reply to DeltaSM:

    Yes, according to the IP addresses from which you're posting, French is the native tongue for both of you.

    Guys, you can make a new backup, try restoring the backup as I suggested above to see if that fixes the issue.  You can then restore the new backup and evaluate how difficult it would be to go to the older backup and red any changes made since then.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    we could but this problem appears on at least 3 of UTM including physical one. On a fourth one I removed the automatic fw rules and create them manually. But hey, if the feature exist, it should work ;)

    Also, my partner which opened the case in France face the same problem with few of their UTM. I don't think it's a rare case ...

    Daniel

  • In reply to Daniel Huhardeaux:

    Yeah, I've seem this too on the two installs I updated to 9.602-3 for testing its stability. It's too wide to be something isolated. I think we hit a bug there. 

  • In reply to giomoda:

    Thank you for feedback guys :)

    It seems obvious that there is a problem now.

  • In reply to DeltaSM:

    : I see you often answer in all the topics of this forum? Do you work at Sophos? Can you tell us if a case is actually open for this issue?

    Does anyone have any status of this?

    Regards,

    DeltaSM

  • In reply to DeltaSM:

    Daniel said above that his partner opened a case in France.  I'm sure there must be a NUTM for this.

    No, I'm not a Sophos employee, but thanks for asking!  We justify my participation here as marketing.  It's rewarded me with Sophos customers all across North America and additionally with consulting clients on three other continents - including other Sophos resellers.  I worked in IT in Germany in German (1 year) and in France in French (5+ years), so I especially enjoy those interactions.

    Cheers - Bob