This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Failsafe after flash with 18.0.5 MR-5-Build586 and implement an Sophos XG Config from an Sophos SG appliance

Hello,

Since we wanted to completely redo a firewall, we installed the XG OS on a Sophos SG 125 Rev. 1 and created the configuration there. When we were done, we flashed our Sophos XG 125 Rev. 3 with the latest firmware 18.0.5 MR-5-Build586 and applied the configuration there.

The default SNAT rule didn't work, so we created a new one with exactly the same settings and also a S2S VPN to Azure could be connected, but only after hours of traffic.

The firewall itself starts in failsafe mode with the reason "unable to apply nat rules".

Can the problem come from the different name of the interfaces ? At SG they are internally called ETH0 etc. and at XG Port1 etc.

This thread was automatically locked due to age.

0 LuCar Toni over 4 years ago

Actually this case should be covered by backup/restore. Maybe there is something odd in your backup, but i cannot recall any open issue. You should get a support case and provide the affected backup file to investigate this further.
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Randolf over 4 years ago in reply to LuCar Toni

I think its a bug by migrate from an SG with XG OS to an XG with XG OS
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to Randy Randolf

This is a usual use case and is done plenty of times per day. So there is no known issue in the current version. (Customers basically moving from SG hardware base to XGS or XG).

And this is tested and works fine. There seems to be something broken within your config.
Cancel
Vote Up 0 Vote Down

Cancel
0 kerobra over 4 years ago in reply to LuCar Toni

But a "converted" SG will name the ports "PortE0", "PortE1", ... where an original XG names it "Port1", "Port2"...
That did never made any sense to me since the underlying hardware was at least at some time the same.
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Randolf over 4 years ago in reply to kerobra

Yes, and if necessary I see the problems here that there is a transfer of a configuration from a SG as XG to a "real" XG.

It was also strange that the default SNAT rule did not work, which is also based on interfaces and another SNAT rule with exactly the same settings but worked.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to Randy Randolf

Just to be sure: You have a base license in place on the new appliance?
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Randolf over 4 years ago in reply to LuCar Toni

We got a Full Guard License on the XG.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to Randy Randolf

Is it actually there? Can you check?
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Randolf over 4 years ago in reply to LuCar Toni

The license sync is functional and active.
Cancel
Vote Up 0 Vote Down

Cancel
0 Randy Randolf over 4 years ago in reply to LuCar Toni

Any idea ?
Cancel
Vote Up 0 Vote Down

Cancel