Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding WAN interface removes active WAN interface from Default SNAT rule, taking network down

Customer is installing a new ISP connection but will have the old one for a while as they have WAF to an internal server, and DNS pointing to current ISP PIP. 

Left Port2 configured as it was. WAN zone, with static IP info.

Configured Port3 to be the new ISP connection.  Then the network went down.  DNS didn't work.  All kinds of strange.  Checked the NAT policy as traffic is not going out the Internet and sure enough, Port2 was removed and Port3 added.

Seems like a bug to me. We've experienced this before but not consistently.  Is this an issue anyone else has faced?

XGS116 on 19.5.3.



This thread was automatically locked due to age.
Parents
  • I saw this same issue too, but in my case, the simple act of clicking the update interface button would remove all other WAN interfaces and leave only the updated one in the default SNAT rule. And I have to manually readd them.

  • We have experienced this issue as well.  But it's not a reproducible issue so we just work past it. You never know which firewall it will happen with so how do you ever engage support? The basic support folks will just add the interface back to the NAT policy and say it's fixed without ever digging down to the root cause.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

Reply
  • We have experienced this issue as well.  But it's not a reproducible issue so we just work past it. You never know which firewall it will happen with so how do you ever engage support? The basic support folks will just add the interface back to the NAT policy and say it's fixed without ever digging down to the root cause.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

Children
  • If this happens, could we collect the logs of the firewall? Get applog.log and csc.log and tell us the time, you change it. 

    __________________________________________________________________________________________________________________

  • The final fix for me was to disable/remove the "Default SNAT IPv4" which has a description of "Updated automatically with WAN interface changes." which sounds like a promise to break things and ruin your day, and create an identical NAT rule (I have it at the bottom of my NAT rules list) having the Outbound interface set to "Any" only this time updating interfaces won't change the Outbound interface in the manually created rule.

  • Setting Outbound interfaces to Any will cause problems for VPN traffic in my experience.  Unless you setup a NAT rule above the final SNAT policy for that VPN traffic.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Funny thing is, it's the opposite in my environment because setting the interfaces to only the WAN interfaces by hand would cause VPN issues as it won't translate requests for the hidden tun0 interface and only setting it to Any would make VPN usable.

  • Out of curiosity, what would the NAT rule you suggest for VPN traffic include in its settings.

  • Simply create a linked NAT policy from the applicable firewall rule.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner