Traffic getting Source Natted for directly connected interfaces

As you do not see matched rules, it looks like your License is not valid. Check the License under Administration. This behavior is explained here: community.sophos.com/.../sophos-firewall-v18-impact-of-expired-license

thanks, this one has active Base/Network/Web  license valid till 2024 

Is this generated Traffic by the appliance? 

There is a console switch to NAT: support.sophos.com/.../KB-000035607

yes traffic generated by appliance,

thanks for the link and ran command, unfortunately behaviour remains the same 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
10:37:58.554522 PortB2, OUT: IP 220.***.99.120 > 10.238.238.2: ICMP echo request, id 52593, seq 0, length 64

NAT policy for system originated traffic
---------------------
Destination Network Destination Netmask Interface SNAT IP

10.238.238.2 255.255.255.255 10.238.238.1

Could you give us the ifconfig output of Port2? 

PortB2 Link encap:Ethernet HWaddr 00:1A:8C:6B:21:39
inet addr:10.238.238.1 Bcast:10.238.238.3 Mask:255.255.255.252
inet6 addr: fe80::21a:8cff:fe6b:2139/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:2985 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:480 (480.0 B) TX bytes:292430 (285.5 KiB)

Did you use the normal Ping command on CLI or Ping via Webadmin? Because this behavior is odd to me. Are both (Webadmin and ping on CLI) behave the same? 

Yes both(Webadmin and ping on CLI) behave the same.

Noticed that customer had to replace the firewall last month and we are noticing this behaviour post RMA. 

Device they had earlier with same config didnt have this issue.

Just to be sure. Those pings are generated on the Primary or the Aux Appliance? 

Does both appliance behave the same? 

And the HA is currently not setup, correct? 

Issue is with pings generated on Primary 

pings generated from Aux to primary works fine. and I guess HA cannot be established due to this issue 

Hi Manu_Mathew  : Can you please confirm the status on primary for the SD-WAN policy route for system-generated traffic?

console> show routing sd-wan-policy-route system-generate-traffic

Also, what is the current route precedence that has been set on XG?

console> sy route_precedence show
Routing Precedence:
1. Static routes
2. VPN routes
3. SD-WAN policy routes
console>

If SD-WAN has been set first then can you try by changing it to static VPN SD-WAN and confirm the status.

console> sy route_precedence set static vpn sdwan_policyroute

Note: Your issue is on the NAT side but just wanted to see if anything on SD-WAN side not creating any such problem. As from conntrack not found any indication on the same.

Hi Manu_Mathew  : Can you please confirm the status on primary for the SD-WAN policy route for system-generated traffic?

console> show routing sd-wan-policy-route system-generate-traffic

Also, what is the current route precedence that has been set on XG?

console> sy route_precedence show
Routing Precedence:
1. Static routes
2. VPN routes
3. SD-WAN policy routes
console>

If SD-WAN has been set first then can you try by changing it to static VPN SD-WAN and confirm the status.

console> sy route_precedence set static vpn sdwan_policyroute

Note: Your issue is on the NAT side but just wanted to see if anything on SD-WAN side not creating any such problem. As from conntrack not found any indication on the same.

thanks. 

console> show routing sd-wan-policy-route system-generate-traffic

SD-WAN policy route is turned off for system-generated traffic.

I will try changing the route precedence. 

changed route precedence as below, however issue remains same. 

console> sy route_precedence show

Routing Precedence:
1. Static routes
2. VPN routes
3. SD-WAN policy routes