This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade to UTM 9.601-5 firmware doesn't start FW NAT rules on boot

Hi,

I got information from my UTM that a new firmware 9.601-5 was available. I installed it and after reboot I discover that all my NAT rules where not activated ! I had to go on each one and disable/enable them to get back the working setup :(

I did it with some of them and then reboot the UTM: again rules where not applied. Disable/enable them and evrything is OK.

For some rules I didn't apply the "automatic firewall rules" in GUI but had create myself the FW rules: those NAT rules where activated. But for NAT rules with forwarding ports to other physical hosts but *not the host himself and the VMs running on it where the UTM lies* doesn't matter which setup (manual or automatically), I have to activate "automatic FW rules" and disable/enable the rules to get them working.

No need to say that prior firmware versions didn't had this problem.

Does anyone face the same problem and confirm?

Daniel



This thread was automatically locked due to age.
  • Daniel Huhardeaux said:

    [...] But for NAT rules with forwarding ports to other physical hosts but *not the host himself and the VMs running on it where the UTM lies* doesn't matter which setup (manual or automatically), I have to activate "automatic FW rules" and disable/enable the rules to get them working.

    This point is solved, I did a mistake in my FW rules for those destinations, sorry for the noise.

    Daniel

     

    • Hello Daniel,

      I have the same problem and it's pretty annoying. Did you have any feedback about this?

      Regards,

      DeltaSM

      • It's rare, but sometimes the Up2Date process "breaks" something in the configuration databases.  I've only experienced this twice in my client base in well over a decade.

        The first thing to try is to restore the backup made prior to the last application of Up2Dates.  That worked immediately in one case.  In the other, two extra reboots solved the problem.  The reboots may have been all that was necessary, but restoring a configuration backup is virtually instantaneous and not disruptive.

        Did that fix your issue?

        Cheers - Bob

         
        Sophos UTM Community Moderator
        Sophos Certified Architect - UTM
        Sophos Certified Engineer - XG
        Gold Solution Partner since 2005
        MediaSoft, Inc. USA
        • A case is open at Sophos France, I have no reply from them.

          Daniel

          • Hi Bob,

            on the UTM I face this problem -I stopped to upgrade others till problem is not solved- I modify the setup by creating myself the fw rules and disable the automatic rule creation form NAT tab.

            Daniel

            • Problem is I can't restart easily as this UTM is in production environment.

              I also sent a support case. I will send you information once I've got news from Sophos.

              • Hello Daniel,

                Did you have any feedback about this issue?

                I just upgraded to last firmware (9.602-3) and the issue is still present.

                : maybe I can try to load an old config but I would not prefer to do this... Maybe deleting and recreating could fix this issue?

                • Hello DeltaSM,

                  no news from support :( and I confirm that problem is still existing with 9.602-3. Will contact them again.

                  Daniel

                  • Hello Daniel,

                    It seems that we're in the same situation. Can you keep me in touch if you have any news?

                    Are you French? We come from Belgium and could give you our email address in private to exchange some information if needed.

                    This problem is very annoying Sophos !

                    Regards,

                    DeltaSM

                    • Yes, according to the IP addresses from which you're posting, French is the native tongue for both of you.

                      Guys, you can make a new backup, try restoring the backup as I suggested above to see if that fixes the issue.  You can then restore the new backup and evaluate how difficult it would be to go to the older backup and red any changes made since then.

                      Cheers - Bob

                       
                      Sophos UTM Community Moderator
                      Sophos Certified Architect - UTM
                      Sophos Certified Engineer - XG
                      Gold Solution Partner since 2005
                      MediaSoft, Inc. USA
                      • Hi Bob,

                        we could but this problem appears on at least 3 of UTM including physical one. On a fourth one I removed the automatic fw rules and create them manually. But hey, if the feature exist, it should work ;)

                        Also, my partner which opened the case in France face the same problem with few of their UTM. I don't think it's a rare case ...

                        Daniel

                        • Yeah, I've seem this too on the two installs I updated to 9.602-3 for testing its stability. It's too wide to be something isolated. I think we hit a bug there. 

                      • HI Everyone

                         

                        So glad to see this issue confirmed here - I am NOT going mad after all.  We've had some really big problems with this ; causing us embarrasment and our client's outages

                        I can confirm the same activity on a few dozen of my UTMS - I am not sure what UTM firmware version this started with but I've seen it for a month or two at least. After a UTM reboot I need to DISable / ENable the NAT rules to get inbound NAT traffic started again. Not always ALL NAT rules it seems, can be just one rule out of dozens - I am now so scared to update firmware or reboot it's silly,  as I need to try every NAT rule after a reboot and I have so many UTMs to do this on. 

                         

                        Last post on this thread was Jun 7th - any updates from anyone yet?

                         

                        Thanks

                        Grant AU

                        • Hello,

                          yes, I got contact with Sophos support France and them -this week- logs and FW rules before and after a reboot. I'm waiting their comments

                           

                          Daniel

                          • Hi Grant - welcome to the UTM Community!

                            You might want to use the trick I outlined in April when this phenomenon first appeared.  If the issue only occurs at reboot, use "@reboot" instead of "0 4 * * *" in the cron jobs.

                            Cheers - Bob

                             
                            Sophos UTM Community Moderator
                            Sophos Certified Architect - UTM
                            Sophos Certified Engineer - XG
                            Gold Solution Partner since 2005
                            MediaSoft, Inc. USA
                            • Did this happen to get fixed in 9.603-1, or are users still seeing this behavior on that firmware?

                              • From experience I can say this is still happening.  Firewalls I manage on 9.603-1 are coming up with non-functional NAT FW rules.  This is occurring both during reboots and cold boots across different hardware platforms (SG105, SG135, SG210) as well as my personal home software installation.

                                • JasonG said:

                                  Did this happen to get fixed in 9.603-1, or are users still seeing this behavior on that firmware?

                                   

                                   

                                  That's still not fixed with this version.

                                   

                                  As told few weeks ago, people from Sophos France are studing the case (I gave them access on 2 UTM software having the problem) but that still not find out where the problem lies.

                                   

                                  Daniel

                                  • Daniel Huhardeaux said:
                                     

                                    That's still not fixed with this version.

                                    As told few weeks ago, people from Sophos France are studing the case (I gave them access on 2 UTM software having the problem) but that still not find out where the problem lies.

                                    Daniel

                                    Bummer, thanks for the confirmation Daniel and J_Money.

                                    • Still no update for this issue?

                                      I'm still on firmware 9.602-3 and will update my appliance soon to 9.604-2 but I doubt that it resolves the problem as far as I read.

                                      When will it be fixed?

                                      This is a really annoying bug...

                                      • Firmware version: 9.604-2

                                        Same issue affecting me, is there any update on this? Please let me know.

                                        Thanks you

                                        • Hi,

                                          just installed 9.605-1 and problems disappears.

                                          Daniel

                                          • I've also been having this issue for a while (i think it started 9.601, might be earlier, but i'm not sure), assuming it would be fixed in a subsequent update.

                                            We're now several updates further, and so far 9.605-1 did *not* fix it for me either.

                                            It's starting to seem kind of silly that after every reboot i have to disable and enable one of my DNAT rules before they all start working...

                                            • Hoi M1tch and welcome to the UTM Community!

                                              Have you tried the trick I suggested earlier in this thread to add a cron job @reboot that disables/enables a DNAT rule?

                                              Cheers - Bob

                                               
                                              Sophos UTM Community Moderator
                                              Sophos Certified Architect - UTM
                                              Sophos Certified Engineer - XG
                                              Gold Solution Partner since 2005
                                              MediaSoft, Inc. USA
                                              • I have now, it does seem to work!

                                                This bug might confuse a lot of people, and actually break things meanwhile. It seems silly something like this can drag on for a couple of updates...

                                            • Issue still present in release of 9.7

                                              As a reseller/partner I lodged a support request with Sophos AU that "This was supposed to be fixed in 9.7 - I have just updated some client devices to 9.700-5 and this issue is still present in these devices" -

                                               

                                              I heard back 6 days later :

                                               "Appreciate your patience we checked as mentioned in the KB the issue will be resolved in the UTM firmware version 9.7  which is already released. Would request you to please update the firmware version to 9.7 to resolve the issue"

                                               

                                              So, nothing done yet - and I am not sure why they think it's fixed,  when it clearly isn't.   

                                              Grant

                                              • Just an update :

                                                After being told by Sophos SUpport AU 7-Nov that this was resolved in 9.700-5 and then confirming with them is wasn't actually fixed,  I heard back from Support a few more weeks later 5-Dec:

                                                 

                                                "

                                                I did some more research on this case and found it to be published already in the known issues list for the UTM with ID : NUTM-11201

                                                This issue should be fixed in the 9.701 MR1 which most probably gonna release in this month though no any exact date provided.

                                                Please refer below known issue list details 

                                                "

                                                So it seems 9.701 MR1 will contain the "real" fix

                                                 

                                                Is there any publicly accessible FTP site that has earliest accessto UTM updates?   Can resellers join a beta program to access such?

                                                 

                                                GrantAU

                                              • This does appear to have been fixed in rev 9.701-6 rel 23-Jan-2020  (I believe this is the official issue number : NUTM-10963)

                                                I have not been offered this via Up2Date on my personal UTM as of this writing;   however I noticed a client's UTM received it today and their NAT came back after applying and rebooting. So I immediately downloaded it from the Sophos FTP and manually applied it - after the reboot all my NAT rules were working!!  No need to STOP/START one NAT rule to get them all working again - hoorah!  

                                                Now just waiting for all my other clients to be offered this via Up2Date so I can install it globally.

                                                 

                                                Only 9 or 10 months for Sophos fix - there must only be a few dozen folks using Sophos UTM with NAT using Auto Firewall Rules, and I was unlucky enough to be one of them :-0

                                                 

                                                Cheers all,

                                                GrantAU

                                              x An error occurred. Please try again or contact your administrator.