Wildcard FQDN Stopped Working After Upgrade

Question

Hello, 
 Over the holiday weekend we upgraded our XG330's from 19.5.4 to 20.0.2 MR-2-Build378. After the upgrade none of our wildcard FQDN rules are resolving/working. They worked perfectly fine prior. This is causing quite a bit of issues for user authentication as several services utilize Azure IDP and they are no longer syncing. I cannot create individual FQDN items for every hostname as they appear to be dynamically created (literally have thousands of different ones in the logs for the provisioning attempts). The firewall DNS is our internal DCs (required or other aspects of the firewall fail/break going between zones). What is the best way to troubleshoot this? The lack of FQDN wildcards has become quite annoying in this day/age. 
 
 Thank you, 
 James

CV_Sophos · Accepted Answer

I believe I have found the issue. Under previous support recommendations I was advised that each rule should have its own dedicated/linked NAT configured. So, a large portion of our "dedicated" rules have a linked NAT configured. This appears to be working fine until there are two rules that apply to a wildcard FQDN as the destination that also contains the same host in both sources. For instance, in this case our ADSync server was a source for two rules (one for actual AD Sync - let's call it rule #1 - and another for Entra App Sync - let's call it rule #2) and both rules required a wildcard destination of *.msappproxy.net. After heavily monitoring the log files I was able to see that a request would be sent with rule #1, received, and then responded/translated to using rule #2 and vice versa. This was ultimately leading to the packets being dropped because they were not associated with a request/connection. Once I disabled rule #2 and gave the firewall 24 hours to, hopefully, clear all active sessions, the rules are working as they did with the prior firmware (19.5.4). Other similar situations have happened before when working with rules that have a linked NAT rule. To clarify, these are all LAN to WAN firewall rules. No other zone to zone type has a linked NAT. I'm not really sure why the prior firmware was behaving differently. Maybe it was more associated with the appliance restart that reset all the connections. Regardless, the issue is now resolved (ticket closed) and I will be cleaning up firewall rules and the linked NAT configurations. 
 
 Thank you, 
 James

Wildcard FQDN Stopped Working After Upgrade

Top Replies