Upgrade to UTM 9.601-5 firmware doesn't start FW NAT rules on boot

Hi,

I got information from my UTM that a new firmware 9.601-5 was available. I installed it and after reboot I discover that all my NAT rules where not activated ! I had to go on each one and disable/enable them to get back the working setup :(

I did it with some of them and then reboot the UTM: again rules where not applied. Disable/enable them and evrything is OK.

For some rules I didn't apply the "automatic firewall rules" in GUI but had create myself the FW rules: those NAT rules where activated. But for NAT rules with forwarding ports to other physical hosts but *not the host himself and the VMs running on it where the UTM lies* doesn't matter which setup (manual or automatically), I have to activate "automatic FW rules" and disable/enable the rules to get them working.

No need to say that prior firmware versions didn't had this problem.

Does anyone face the same problem and confirm?

Daniel

  • In reply to BAlfson:

    Hello Bob,


    Wow nice :) I would like to thank you because you often helped me once I opened a case ! Thank you for your contribution !

    : des nouvelles de Sophos? Le cas de support avance-t-il?

    Regards,

    DeltaSM

  • In reply to Daniel Huhardeaux:

    Has anyone heard back regarding this issue?  I just rolled out 9.603-1 and pretty every one of the firewalls I managed came up with NAT rules not working.  I have to manually turn every rule off and back on... Frustrating and time consuming.

  • In reply to J_Money:

    If anyone else has this problem, please try restoring the config backup made before the Up2Date/s was/were applied.  If that doesn't resolve the issue, try a reboot.  Please let us know your results.

    Cheers - Bob

  • In reply to BAlfson:

    Bob, a config restore was one of the first things I tried.  The NAT rules will work until a reboot, at which time I can see the traffic coming in but firewall logs show it blocked by the Default Drop.  When I toggle the rules off and back on they work again.

  • In reply to J_Money:

    This may sound totally strange but if you see the problem after a reboot again, try pinging the ip addresses on which the corresponding nat rules are bound and if these are not answering (which i am expecting) try disabling and after 2-3 seconds re-enabling the additional ip addresses and check if they are answering. Then, check if the nat rules are answering (which i expect). Then, reboot again to check if now everything comes up good.

  • In reply to JoergRiether:

    Hi Joerg,

    problem is not -at least on my side- with additional ip addresses. All fw rules like xNAT aren't applied.

    Still have no feedback from opened case in France by my partner, I opened a new one from website, id#8892593.

    Daniel

  • In reply to Daniel Huhardeaux:

    Short question. Do you use /32 on the additional IP? 

  • In reply to LuCar Toni:

    I just hangup a call with French Sophos Support. They will investigate and come back to me next week. I send them the link to this discussion. Does anyone have the problem with a hardware UTM like SG series ?

    Daniel

      

  • In reply to Daniel Huhardeaux:

    Hello Daniel,

    In our case, we use Sophos SG 210 appliance so we can confirm the issue.

    Regards,

    DeltaSM

  • HI Everyone

     

    So glad to see this issue confirmed here - I am NOT going mad after all.  We've had some really big problems with this ; causing us embarrasment and our client's outages

    I can confirm the same activity on a few dozen of my UTMS - I am not sure what UTM firmware version this started with but I've seen it for a month or two at least. After a UTM reboot I need to DISable / ENable the NAT rules to get inbound NAT traffic started again. Not always ALL NAT rules it seems, can be just one rule out of dozens - I am now so scared to update firmware or reboot it's silly,  as I need to try every NAT rule after a reboot and I have so many UTMs to do this on. 

     

    Last post on this thread was Jun 7th - any updates from anyone yet?

     

    Thanks

    Grant AU

  • In reply to GrantAU:

    Hello,

    yes, I got contact with Sophos support France and them -this week- logs and FW rules before and after a reboot. I'm waiting their comments

     

    Daniel

  • In reply to GrantAU:

    Hi Grant - welcome to the UTM Community!

    You might want to use the trick I outlined in April when this phenomenon first appeared.  If the issue only occurs at reboot, use "@reboot" instead of "0 4 * * *" in the cron jobs.

    Cheers - Bob

  • In reply to BAlfson:

    Did this happen to get fixed in 9.603-1, or are users still seeing this behavior on that firmware?

  • In reply to JasonG:

    From experience I can say this is still happening.  Firewalls I manage on 9.603-1 are coming up with non-functional NAT FW rules.  This is occurring both during reboots and cold boots across different hardware platforms (SG105, SG135, SG210) as well as my personal home software installation.

  • In reply to JasonG:

    JasonG

    Did this happen to get fixed in 9.603-1, or are users still seeing this behavior on that firmware?

     

     

    That's still not fixed with this version.

     

    As told few weeks ago, people from Sophos France are studing the case (I gave them access on 2 UTM software having the problem) but that still not find out where the problem lies.

     

    Daniel