Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 3619 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

17.1.1 MR-1 Broke all of my inbound rules

Dave Wisel

Upgraded from 17.0.8 MR-8 to 17.1.1 MR-1 this morning and ALL of my inbound Business Application Rules stopped working. Opened a ticket and after some troubleshooting found that all traffic was being denied by the implicit deny rule as if all of the other rules didn't exist. Editing each of the rules and re-saving them resolved the issue for now.

The support engineer explained that I had all of my DNAT rules setup incorrectly. Instead of creating an object for the Public IP and using that as the destination object for the DNAT rule, he stated that I should have created an alias on my WAN interface for each IP that I am NATing and use the alias object as the destination in the DNAT rule.

Could this possibly be correct? My thought was if Sophos wanted it setup that way then a) it would be documented somewhere and b) they shouldn't allow you to create an IP object and use it as a destination for a DNAT rule.

What are others opinion/experience on this?

 

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    I have faced the same issue while upgrading from 16.5 mr8 to 17.0 GA version.I had to save the each wan to lan policy once again.I didn't escalate this to support since it was quite weird lol.

    We don't use alias ip for destination address in Dnat. It should work with public ip. We use alias ip only for outbound address. Support engineer is wrong.

  • 0 in reply to Support Chn

    I didn't think his explanation held water. It does concern me, though, that this upgrade caused me so many issues. Just be warned if you do this upgrade, make sure you schedule an outage.

Reply Children
No Data