I'm using a Sophos Central defined SD-Wan Connection Group and a series of rules to allow connection between sites. As best I can tell all the rules are working for all other workloads. The only place I'm aware that these rules are not working properly is when trying to backup my switches to a TFTP server located in another site. None of my rules are really fine grained enough to limit access to a service. If a host can reach another host, it has should be able to do so for any service. I have no specific rules setup on the Site A location to alternatively route this kind of traffic.
For the case at hand I have Site A (where TFTP server is) and Site B (where the switch is)
When I attempt to upload the switch's settings to the TFTP server I can see the connection being made from the switch to the TFTP server but when the TFTP server attempts to respond the firewall in Site A is sending the response "out the WAN" interface instead of into the XFRM interface that the connection came in.
From the TFTP server I can PING and SSH into the switch I'm testing with.
I've opened a support case and so far they've not been able to provide any guidance.
This is reproducible.
Site A is a SFV4C6 (SFOS 19.0.0 GA-Build317)
Site B is a XGS2300 (SFOS 19.0.0 GA-Build317)
This also affects another site running the same firmware but is an XGS 126
This sounds like an issue we fixed in v19.0 MR1, can you try upgrading to it to see if it resolves the issue for you?
Just confirming that MR1 did resolve the TFTP upload issue we saw.