This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade to UTM 9.601-5 firmware doesn't start FW NAT rules on boot

Hi,

I got information from my UTM that a new firmware 9.601-5 was available. I installed it and after reboot I discover that all my NAT rules where not activated ! I had to go on each one and disable/enable them to get back the working setup :(

I did it with some of them and then reboot the UTM: again rules where not applied. Disable/enable them and evrything is OK.

For some rules I didn't apply the "automatic firewall rules" in GUI but had create myself the FW rules: those NAT rules where activated. But for NAT rules with forwarding ports to other physical hosts but *not the host himself and the VMs running on it where the UTM lies* doesn't matter which setup (manual or automatically), I have to activate "automatic FW rules" and disable/enable the rules to get them working.

No need to say that prior firmware versions didn't had this problem.

Does anyone face the same problem and confirm?

Daniel



This thread was automatically locked due to age.
Parents
  • HI Everyone

     

    So glad to see this issue confirmed here - I am NOT going mad after all.  We've had some really big problems with this ; causing us embarrasment and our client's outages

    I can confirm the same activity on a few dozen of my UTMS - I am not sure what UTM firmware version this started with but I've seen it for a month or two at least. After a UTM reboot I need to DISable / ENable the NAT rules to get inbound NAT traffic started again. Not always ALL NAT rules it seems, can be just one rule out of dozens - I am now so scared to update firmware or reboot it's silly,  as I need to try every NAT rule after a reboot and I have so many UTMs to do this on. 

     

    Last post on this thread was Jun 7th - any updates from anyone yet?

     

    Thanks

    Grant AU

  • Hi Grant - welcome to the UTM Community!

    You might want to use the trick I outlined in April when this phenomenon first appeared.  If the issue only occurs at reboot, use "@reboot" instead of "0 4 * * *" in the cron jobs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I've also been having this issue for a while (i think it started 9.601, might be earlier, but i'm not sure), assuming it would be fixed in a subsequent update.

    We're now several updates further, and so far 9.605-1 did *not* fix it for me either.

    It's starting to seem kind of silly that after every reboot i have to disable and enable one of my DNAT rules before they all start working...

  • Hoi M1tch and welcome to the UTM Community!

    Have you tried the trick I suggested earlier in this thread to add a cron job @reboot that disables/enables a DNAT rule?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have now, it does seem to work!

    This bug might confuse a lot of people, and actually break things meanwhile. It seems silly something like this can drag on for a couple of updates...

  • Checking in to confirm that the problem still exists for me as well in 9.605-1

  • : if guess that the cron job is just is a workaround for now? I mean this is not an official solution? I would like to avoid to do such things on my appliance.

    : did you apply BAlfson solution before updating last firmware? Or was the problem solved by just updating the firmware?

    I will try the new firmware in 10 days and will give you my feedback once it's done.

  • DeltaSM said:


    : did you apply BAlfson solution before updating last firmware? Or was the problem solved by just updating the firmware?

    I didn't apply BAlfson solution, just upgraded and it gone. I will upgrade another UTM this week-end and see if problem disappear too.

    Daniel

  • I don't know if this is in any Sophos KB article or post by a Sophos employee.  I came up with this workaround on my own.

    I note that this issue isn't listed under Bugfixes in the information about 9.605.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Daniel Huhardeaux said:

    I didn't apply BAlfson solution, just upgraded and it gone. I will upgrade another UTM this week-end and see if problem disappear too. 

    On another system problem is still existing.

  • Daniel Huhardeaux said:

    just installed 9.605-1 and problems disappears.

    I restarted the UTM to check if effectively problem is gone: is not :( I had again to deactive/active each rule ...

  • Same here, issue still persists after latest update. Does sophos even care abount fixing this crap issue?

Reply Children
  • Hi all,

    this morning I got answer from Sophos France support: working on our logs they found the problem which should be resolved with version 9.7 expected current october. (!)

    Daniel

  • Daniel Huhardeaux said:
    this morning I got answer from Sophos France support: working on our logs they found the problem which should be resolved with version 9.7 expected current october.

     

    9.7 seems to be pre-release ; I cant find an English readme or bugfix 

    Has anyone with access to 9.7 got confirmation on whether this is fixed yet - I have dozens of UTMs ready for updates but I am unwilling to update them if I then need to login to each one manually and STOP/START NAT Rules!   

     

  • Thanks for the feedback.

    I guess I will have to do it manually for a while again...

    Regards,

    DeltaSM

  • If you don't want to wait till a solution is published you can set yourself FW rules and disable the "automatic create fw rules" switch.

    Daniel

  • Daniel - thanks for that info - I wasn't aware you could do that - I may need to do that to some of the clients who seem to need to reboot their UTM often (usually to get 4G USB Dongles to "reconnect") - but doing this to all my client devices will take hours and is just not possible.   Sophos should fix this. 

    Grant

     

     

     

  • Salut Daniel,

    Are you saying that the issue is the automatic firewall rule?  Do you see a default drop in the Firewall log (the KB article is misleading for the reasons I mention in the ?  If you look at the automatic rule on the 'Firewall' 'Rules' tab, does everything seem to be correct?  At the command line, is the 'status' of the rule 1?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    yes, on automatic FW rules and yes, everything is OK in the 'Rules' tab (remember, it was working before I opened this thread connected to the 9-601-5 upgrade).

    This WE I upgraded an software UTM to 9.7-5 and problem disappears. Only thing is that after startup, it takes few minutes before rules are applied. I will check on the others I have not yet upgraded to confirm this.

    Daniel

  • Daniel Huhardeaux said:
    This WE I upgraded an software UTM to 9.7-5 and problem disappears. Only thing is that after startup, it takes few minutes before rules are applied. I will check on the others I have not yet upgraded to confirm this.

    I understand what happends: problem is NOT solved and there is no delay. To get it work you only need to disable/re-enable one rule and automagically all others are applied ! Doesn't matter which one you treat.

    Daniel

  • Hello Daniel,

     

    I've just updated my Sophos routers with firmware 9.700-5 and the problem is not solved.

    My worries is about NAT and FW rules that do not impact users behaviour directly who usually come to me to point out a malfunction. I mean ports like Pyzor, Razor, Spamassassin, ... that may be inactive and do not block the use of services but, in this example, takes my mail server out of date.

    I have so many rules and routers that I should disable/enable each of them to be sure none remain enabled but inactive.

    Saïd