Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG135 - SFOS 19.0GA-317 ignored firewall/NAT rules and policies

After updating from SFOS 18.5.3 MR-3-Build408 to SFOS 19.0.0 GA-Build317 I started getting complaints of services not working, they depend either on outbound firewall rules or inbound DNAT rules.

The first failure to be reported was VoIP, oddly enough running a VoIP client from my own machine would work just fine, but a specific VoIP gateway device which had it's own rule was not working at all after the upgrade.

Another example is an internal web server that only accepts connections from specific FQDN, also stopped being reachable from the outside after the upgrade.

I have seen people reporting other types of issues but none similar to this. And yes, regressing to SFOS 18.5.3 MR-3 fixed every issue both times that I tried the upgrade.


A couple concrete examples below of simple rules that stopped working after v19.0GA upgrade:

FW rule:

- Source zones: LAN

- Source network and devices: (IP for local VoIP gateway)

- Destination zones: WAN

- Destination networks: Any

- Services: SIP (UDP/1:65535 - UDP/5060)

Another FW rule, created with DNAT wizard:

- Source zones: WAN

- Source network and devices: FQDN (

- Destination zones: LAN

- Destination networks: #Port2 (Public IP)

- Services: HTTPS

Resulting NAT rule from above:

- Original source: FQDN (

- Original destination: #Port2 (Public IP)

- Original services: HTTPS

- SNAT: Original

- DNAT: (IP for LAN web server)

- PAT: Original

- Inbound interface: Port2 (Public IP)

- Outbound interface: Any

This thread was automatically locked due to age.
Parents Reply Children