Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

Firewall Rule Changes disconnect all traffic

Hi,

When I make a change to an (unrelated) firewall rule, particularly a WAF rule, the firewall will disconnect all sessions for all rules/sites for a few seconds. This happens for all of our hosted websites.

For example:

1. Make a change to Website Rule A

2. Users report being disconnected/404 errors on Website B, C or D

Hitting refresh again solves the issue, but this isn't great when I want to test and tinker with some other rules and websites that we use.

Is this by design? We also use Sonicwalls that do not cause this problem when we change rules.

Even if I make a change to Web Protection Policies, is disconnects everybody for a few seconds upon saving the policy/rule.

Really frustrated :(

  • Hi,

    sounds like a load problem with the XG, what are CPU and memory usage showing when this happens?

    Ian

  • This happens with SSL VPN Site-to-Site traffic too.  The way you might want to get around it, cumbersome as it is:

    • Create a virtual Sophos SFOS you can use to manipulate and get rules down to exactly how you want them
    • Implement a change management process and perform those rule changes only during maintenance windows, however you've defined them
  • In reply to rfcat_vk:

    Definitely not a load issue. CPU usage didn't go above 14% when making the changes and RAM was at 33%.

  • In reply to Chris Shipley:

    Thanks for the suggestion. It's something I will look into.

    I understand that in most cases, firewall changes would be quite rare and I can do them out-of-hours but I'm having to do loads of Web Protection Policy testing at the moment.

  • We are having this issue on SG650 devices. Very low CPU/Memory usage.

     

    We have 30-40 WAF rules. If we make a change to any of them, users report being disconnected to sites published in other rules.

     

    It also takes at least a minute to save a WAF policy, just seems to hang forever. Whereas a network type rule is instant

     

    Is this expected behaviour or a bug?

  • In reply to David Mace:

    Hi David

     

    Thanks for reviving this post. It's still an issue now, but I've learn to live with it.

    Apparently this issue occurs because changing WAF rules forces the Apache service to restart.

    Not sure if there will ever be a way around it.

    I'm starting to look at other UTM vendors going forward and I'm not certain I will stick with Sophos when our licensing expires.

  • In reply to IT-Support-247:

    Hi  and  

    Sorry for the inconvenience caused! Could you please let me know, are you using Sophos XG firewall or Sophos IUTM 9 and facing this issue?

    I would request you to contact technical support and open a service request to investigate the issue further, please PM us the service request number.

  • In reply to Keyur:

    Hi, it's an XG 210 in HA.

  • In reply to IT-Support-247:

    Hi  

    Thank you for sharing details, as I suggested in the previous reply, I would request to contact technical support and open a service request to investigate the issue further and please PM us the service request number.

  • In reply to Keyur:

     We did raise a ticket and awaiting a official response from Sophos. I will DM you our SR number

  • In reply to David Mace:

    Hi  

    Thank you, please PM us the service request number.

  • In reply to Keyur:

    I'm facing the same issue on a XG330 in HA with v17.5.12

    Any findings that you can share?

     

    Thank you.

  • In reply to Juan Miguel:

    Turns out this is the way that the WAF works. It has to restart the Apache service to put the changes into effect.

    As far as I'm aware, not much can be done about it :|

  • In reply to IT-Support-247:

    Thank you for the reply.

     

    Really inconvinient.

     

    I also publish other services and when I change a rule, the clients get's disconnected (with call's to IT support following)