Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding WAN interface removes active WAN interface from Default SNAT rule, taking network down

Customer is installing a new ISP connection but will have the old one for a while as they have WAF to an internal server, and DNS pointing to current ISP PIP. 

Left Port2 configured as it was. WAN zone, with static IP info.

Configured Port3 to be the new ISP connection.  Then the network went down.  DNS didn't work.  All kinds of strange.  Checked the NAT policy as traffic is not going out the Internet and sure enough, Port2 was removed and Port3 added.

Seems like a bug to me. We've experienced this before but not consistently.  Is this an issue anyone else has faced?

XGS116 on 19.5.3.



This thread was automatically locked due to age.
Parents
  • Default NAT should only include all WAN interfaces. 
    So you are saying, by adding another WAN interface (two) it removed the old Port2 from Default NAT? 
    what about the WAN link manager?

    __________________________________________________________________________________________________________________

Reply
  • Default NAT should only include all WAN interfaces. 
    So you are saying, by adding another WAN interface (two) it removed the old Port2 from Default NAT? 
    what about the WAN link manager?

    __________________________________________________________________________________________________________________

Children
  • Yes, Port2 was automatically removed from the Default SNAT policy.

    Port2 in WAN Link Manager as Failover.  Port3 in WAN Link Manager as primary but was down so should have failed over and set Port2 as primary as it showed green in WAN Link Manager.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Like this?

    Because in my example, it is still in there:

    __________________________________________________________________________________________________________________

  • Yes, like that.  Except the new one is red, not green because it's not plugged in yet. Existing connection is then setup as backup and to take the weight of the original when it becomes active.

    I've had reports for other internal staff about this happening and they are manually fixing the Default SNAT policy to fix it.  It's not consistent, but then it's not often that we are adding a second ISP with Sophos firewalls.

    Setup the same in my firewall (XGS126 v20) and it worked just fine.  

    Started here.

    Added 2nd ISP

    Setup Gateways the exact same way as I did on the customer firewall

    And this was as it should be.

    It's an inconsistent issue.  Maybe reproducible if I were on v19.5.3. I don't know.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner



    Added config steps on my firewall
    [edited by: DavidSain at 9:11 PM (GMT -7) on 9 May 2024]