masquerading rules only working after reboot

Are those appliances managed by a Sophos Firewall manager?

Or did you import those Firewall Rules via API? 

No, they are manged standalone. I've created the rules just with the web interface, no import.

Can you show us the Firewall Rule? 

But never heard of such a issue in a standalone setup.

You can reproduce this with another appliance? 

I have never tested this out a bunch, but I know when I was first setting up an XG firewall I made some business application rules for dnat to allow specific ips through on sftp and an open rule to allow anyone in to ftp.  Once the rules were done I began testing and it was weird, I could connect but it would take more than a minute to go through then other times it would not connect.  After about an hour of troubleshooting I just thought restart.  I do not know what did it but suddenly everything worked like a charm.  Did multiple restarts after that, tried turning the rules off and on but never seen the same results.

I've tested this a bit further with the XG125 and the masquerading for our WAN:

1. Opened cmd with ping 8.8.8.8 -t on Server A -> works -> OK
2. Disabled masquerading on WAN rule, while ping on Server A is still running
3. Ping from Server A to 8.8.8.8 still works -> NOT OK
4. Opened 2nd cmd with ping 8.8.4.4 -t on Server A -> doesn't work -> OK

At this point i have two cmds with running pings on Server A. The one that was started before i disabled masquerading still works (8.8.8.8), while the one that i started after i disabled masquerading doesn't work (8.8.4.4).

5. Opened cmd with ping 8.8.8.8 -t on Server B -> doesn't work -> OK

At this point Server A is still getting answers from 8.8.8.8, while server B is not!

6. Enabled masquerading on WAN rule
7. Server A still pinging 8.8.8.8 -> still works -> OK again i guess
8. Server A still pinging 8.8.4.4 -> doesn't work -> NOT OK
9. Server B still pinging 8.8.8.8 -> doesn't work -> NOT OK

The firewall somehow remembers what specific traffic had masquerading applied and just keeps going, no matter what i configure.

I would say, Point 3 is ok.

The reason is, XG uses a conntrack to keep connection tracking.

If you have a open stream (say a ICMP stream from A to B), XG writes a conntrack entry for this connection.

If you reload / change a specific rule, XG will not kill all connections, instead will prevent all new connections. 

Actually, this is "normal". You would be able to kill all those connections, if you want to, but most likely this connections will end after couple seconds / minutes and cannot be reopened. 

So basically, depending on the post above, the other points 7/8/9 are also affected by this. 

I would say, Point 3 is ok.

The reason is, XG uses a conntrack to keep connection tracking.

If you have a open stream (say a ICMP stream from A to B), XG writes a conntrack entry for this connection.

If you reload / change a specific rule, XG will not kill all connections, instead will prevent all new connections. 

Actually, this is "normal". You would be able to kill all those connections, if you want to, but most likely this connections will end after couple seconds / minutes and cannot be reopened. 

So basically, depending on the post above, the other points 7/8/9 are also affected by this.