Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 7 replies
  • Subscribers 39 subscribers
  • Views 490 views
  • Users 0 members are here
Options
Suggested

Adding WAN interface removes active WAN interface from Default SNAT rule, taking network down

DavidSain

Customer is installing a new ISP connection but will have the old one for a while as they have WAF to an internal server, and DNS pointing to current ISP PIP. 

Left Port2 configured as it was. WAN zone, with static IP info.

Configured Port3 to be the new ISP connection.  Then the network went down.  DNS didn't work.  All kinds of strange.  Checked the NAT policy as traffic is not going out the Internet and sure enough, Port2 was removed and Port3 added.

Seems like a bug to me. We've experienced this before but not consistently.  Is this an issue anyone else has faced?

XGS116 on 19.5.3.



Edited TAGs
[edited by: Erick Jan at 12:49 AM (GMT -7) on 10 May 2024]
Parents Reply Children
  • 0 in reply to LuCar Toni

    Yes, Port2 was automatically removed from the Default SNAT policy.

    Port2 in WAN Link Manager as Failover.  Port3 in WAN Link Manager as primary but was down so should have failed over and set Port2 as primary as it showed green in WAN Link Manager.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • 0 in reply to DavidSain

    Like this?

    Because in my example, it is still in there:

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes, like that.  Except the new one is red, not green because it's not plugged in yet. Existing connection is then setup as backup and to take the weight of the original when it becomes active.

    I've had reports for other internal staff about this happening and they are manually fixing the Default SNAT policy to fix it.  It's not consistent, but then it's not often that we are adding a second ISP with Sophos firewalls.

    Setup the same in my firewall (XGS126 v20) and it worked just fine.  

    Started here.

    Added 2nd ISP

    Setup Gateways the exact same way as I did on the customer firewall

    And this was as it should be.

    It's an inconsistent issue.  Maybe reproducible if I were on v19.5.3. I don't know.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner



    Added config steps on my firewall
    [edited by: DavidSain at 9:11 PM (GMT -7) on 9 May 2024]
Unfiltered HTML