This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with aliases on LAN interface


i have a problem on a customers site.

The customer switched from Sophos UTM to XG firewall.

In the past the customer ran into the problem that his network got to small. Because of ease they just add 2 additinal adresses on the LAN interface with a /24 netmask.

Now after the switch to XG firewall this construction don't work really good, because some connections are marked with "Invalid TCP state"

The main address/network ist the Sophos has the The other networks/aliases on the interface are and

Ich for example a client from network tries to access a printer in network it dont work because ogf invalid tcp state. Smartphone access to Exchange in the network also don't work.

It would be very difficult for the customer to change the hole network to another netmask. So i searched for a solution.

I found this:

set advanced-firewall bypass-stateful-firewall-config add source_network source_netmask dest_network dest_netmask

Does anyone know, if this would solve the problem i have?

Thanks everybody for your help



This thread was automatically locked due to age.
  • Hello  ,

    The command  "advanced-firewall bypass-stateful-firewall-config" will skip stateful inspection for traffic coming from and going to which will solve your problem if there is any assymmetric routing between these 2 subnets.

    What is the gateway for both(or all 3) subnets ? Is it the IP address configured on XG interface(or alias), if so then all traffic would get routed through XG firewall via LAN - LAN firewall rule however if any of the network has different gateway apart from XG interface then there are chances of assymmetric routing in which request & reply packet does not follow the same path.

    For such traffic you would see them being dropped under rule ID 0.

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

  • Hello Hardik R

    the Sophos has the following addresses on the interface:




    The clients have the corresponding address as gateway, client from has the as gateway. I have already created a rule with LAN-LAN.

    the message in the log is always invalid tcp state

  • I have talked to an technican from sophos which means that aliases in different networks than the main address are not supported

  • Hello  

    Thank you for the update, can you please message me the support ticket through which you discussed with Support engineer.

    As per the KBA, same physical interface does support different subnets.

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

  • Hello,

    sorry i just talked on the phone. The ticket was related to another problem an i just asked him by the side about this. I said the customer that the best is to change the network, but as i said it is a little bit difficult. I will test it with the state-full firewall solution an will report again.

  • Hello again,

    so we could test it at the customer site. So the problem has gone with traffic to printers for example. But now a new problem occured.

    Before the change a Client from 192.168.42.x could access Sophos Management Services like User Portal, WebAdmin and Captive Portal on Now the Clients can only Access these services with the corresponding Gateway Adress of their network.

    Its not so great issue, but the problem is that i only can set one IP/Hostname for the Captive Portal 



  • Short Update. bypass-stateful-firewall did the trick. But fyi you can only access the firewall then only from the IP from the corrsponding network

  • You should fix this network setup. It looks really bad. 

    You should migrate to VLAN instead. Alias Interfaces are not a way to build up different subnet clients and routing. 


  • Yes we know. We already said this to our customer, but for now the customer cannot or dont want to change the network configuration.

    The problem ist we only manage sophos at the customer, everythingelse is managed by the customer and a third party.

    But thanks for your confirmation, we will talk again to the customer