This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade to UTM 9.601-5 firmware doesn't start FW NAT rules on boot

Hi,

I got information from my UTM that a new firmware 9.601-5 was available. I installed it and after reboot I discover that all my NAT rules where not activated ! I had to go on each one and disable/enable them to get back the working setup :(

I did it with some of them and then reboot the UTM: again rules where not applied. Disable/enable them and evrything is OK.

For some rules I didn't apply the "automatic firewall rules" in GUI but had create myself the FW rules: those NAT rules where activated. But for NAT rules with forwarding ports to other physical hosts but *not the host himself and the VMs running on it where the UTM lies* doesn't matter which setup (manual or automatically), I have to activate "automatic FW rules" and disable/enable the rules to get them working.

No need to say that prior firmware versions didn't had this problem.

Does anyone face the same problem and confirm?

Daniel



This thread was automatically locked due to age.
Parents
  • Daniel Huhardeaux said:

    [...] But for NAT rules with forwarding ports to other physical hosts but *not the host himself and the VMs running on it where the UTM lies* doesn't matter which setup (manual or automatically), I have to activate "automatic FW rules" and disable/enable the rules to get them working.

    This point is solved, I did a mistake in my FW rules for those destinations, sorry for the noise.

    Daniel

     

  • Hello Daniel,

    I have the same problem and it's pretty annoying. Did you have any feedback about this?

    Regards,

    DeltaSM

  • Yeah, I've seem this too on the two installs I updated to 9.602-3 for testing its stability. It's too wide to be something isolated. I think we hit a bug there. 

  • Thank you for feedback guys :)

    It seems obvious that there is a problem now.

  • : I see you often answer in all the topics of this forum? Do you work at Sophos? Can you tell us if a case is actually open for this issue?

    Does anyone have any status of this?

    Regards,

    DeltaSM

  • Daniel said above that his partner opened a case in France.  I'm sure there must be a NUTM for this.

    No, I'm not a Sophos employee, but thanks for asking!  We justify my participation here as marketing.  It's rewarded me with Sophos customers all across North America and additionally with consulting clients on three other continents - including other Sophos resellers.  I worked in IT in Germany in German (1 year) and in France in French (5+ years), so I especially enjoy those interactions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,


    Wow nice :) I would like to thank you because you often helped me once I opened a case ! Thank you for your contribution !

    : des nouvelles de Sophos? Le cas de support avance-t-il?

    Regards,

    DeltaSM

  • Has anyone heard back regarding this issue?  I just rolled out 9.603-1 and pretty every one of the firewalls I managed came up with NAT rules not working.  I have to manually turn every rule off and back on... Frustrating and time consuming.

  • If anyone else has this problem, please try restoring the config backup made before the Up2Date/s was/were applied.  If that doesn't resolve the issue, try a reboot.  Please let us know your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, a config restore was one of the first things I tried.  The NAT rules will work until a reboot, at which time I can see the traffic coming in but firewall logs show it blocked by the Default Drop.  When I toggle the rules off and back on they work again.

  • This may sound totally strange but if you see the problem after a reboot again, try pinging the ip addresses on which the corresponding nat rules are bound and if these are not answering (which i am expecting) try disabling and after 2-3 seconds re-enabling the additional ip addresses and check if they are answering. Then, check if the nat rules are answering (which i expect). Then, reboot again to check if now everything comes up good.

  • Hi Joerg,

    problem is not -at least on my side- with additional ip addresses. All fw rules like xNAT aren't applied.

    Still have no feedback from opened case in France by my partner, I opened a new one from website, id#8892593.

    Daniel

Reply Children