Hotspot landing page blocked after upgrade from 17.x to 18.x

Hej Sophos community,

several XG 106 boxes, which were updated from SFOS 17.x to 18.x suddenly block the access of the hotspot landing page.

The Hotspot was just woring fine before the upgrade and clients were redirected to the landing page with the input field of the voucher code.

Now with SFOS 18.0.4 MR-4 the clients timeout because the access is blocked by the firewall:

2021-03-12 08:02:12Firewallmessageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="vxlan3.101" in_display_interface="vxlan3.101" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="" src_country="R1" dst_ip="" dst_country="R1" protocol="TCP" src_port="49192" dst_port="4501" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Could not associate packet to any connection." appresolvedby="Signature" app_is_cloud="0"

So the main question is:

How can I place a rule to allow port 4501 traffic with the XG itself as target? I only know the appliance-access-matrix where WIFI is enabled for every service excluded AD SSO and Dynamic Routing.

Hotspot Service is running.

Any ideas?

Thanks and Regards,


Added TAG
[edited by: emmosophos at 8:09 PM (GMT -7) on 14 Apr 2021]