The issue is possibly observed when there are multiple uplink interfaces which belong to the group "Uplink Primary Addresses" and this group is used as the original destination in a NAT rule. Once UTM has been rebooted/upgraded, the affected NAT rules might stop working.
For more information, please refer to the below article:
I'm glad to see that explicitly acknowledged by Sophos - thanks!
Please have the author of that KB article edit it to make the firewall log line more meaningful. The srcip and dstip should be obfuscated like 85.x.y.21, 192.168.x.41, 172.2x.y.11 and 10.x.y.31. I would expect this to be a default drop out of the INPUT chain, so we should see fwrule="60001" instead of "123" which indicates a manually-created firewall rule.
Also, the article says that this information also appears related to XG - I doubt that.
Cheers - Bob