XG v19 WAN Link Manager: Error when updating Failover Rules

Hi @Joshua Drost: Thank you for reaching out to the Sophos community team. As per information provided from your end - "We import a "template" into our firewalls when they are first programmed".

Please help us with below information:

Exporting of this configuration was done from which firmware and from which firewall device model?

If it was from XG to XG, was this "Export selective configuration" done by selecting "Include dependent entity" or without selecting "Include dependent entity"?

Reference snapshot:


I am suspecting importing action may have not covered up the dependent entity OR not performed properly and due to that, it has created "database inconsistency" which is giving you such errors while saving or updating the database for Gateway. If you have a backup of the previous firewall then ideally you should go with backup restore (as per the matrix) in place of export-import to avoid such issues or errors.

To create the original template, we took a full export and manually edited the Entities.xml file inside the .tar. This is so that our template was more granular, instead of just replacing everything in the firewall, as would happen with a full backup restore.

I believe I got to the root of the problem, though I don't know which setting specifically I had to add/modify, or which combination of settings:

1. Originally, I was not passing any IPAddress value to my WAN interface as it was DHCP, but an export from a known-working firewall showed a blank value instead. ("<IPAddress/>")
2. I was passing a blank GatewayIP value to my WAN interface, but a known-working export showed it added in an IP address of 128.0.0.1. I believe this is supposed to be 127.0.0.1 instead (localhost), as 128.0.0.1 is an internet-routable address located in the Netherlands. I don't know if DHCP-configured WAN interfaces require this value to be 128.0.0.1, or if they just require a non-null value, but I went ahead and used 128.0.0.1 anyways. The firewall updates the gateway IP on connection with DHCP anyways, but me passing a blank value may have somehow corrupted that somewhere.
3. I removed my Status value (originally set to "Unplugged") from my WAN interface configuration. I assume this doesn't matter either way as it should update itself based on current connection state, but I can't confirm.
4. I was passing a blank IPAddress value to my Gateway configuration, but a known-working export also showed this as 128.0.0.1, much like #2. I used the 128.0.0.1 value on my new export.

Here's the relevant sections of our new template, for anyone who needs it. I have confirmed that after using my new template, I can edit WAN failover rules without error.

<Interface transactionid="">
  <IPv4Configuration>Enable</IPv4Configuration>
  <IPv6Configuration>Disable</IPv6Configuration>
  <Hardware>Port2</Hardware>
  <Name>Interface 2 Primary WAN</Name>
  <NetworkZone>WAN</NetworkZone>
  <IPv4Assignment>DHCP</IPv4Assignment>
  <IPv6Assignment/>
  <DHCPRapidCommit>Disable</DHCPRapidCommit>
  <InterfaceSpeed>Auto Negotiate</InterfaceSpeed>
  <MTU>1500</MTU>
  <MSS>
    <OverrideMSS>Disable</OverrideMSS>
    <MSSValue>1460</MSSValue>
  </MSS>
  <IPAddress/>
  <MACAddress>Default</MACAddress>
  <GatewayName>Primary WAN Gateway</GatewayName>
  <GatewayIP>128.0.0.1</GatewayIP>
</Interface>
<GatewayConfiguration transactionid="">
  <GatewayFailoverTimeout>10</GatewayFailoverTimeout>
  <Gateway>
    <Name>Primary WAN Gateway</Name>
    <IPFamily>IPv4</IPFamily>
    <IPAddress>128.0.0.1</IPAddress>
    <Type>Active</Type>
    <Weight>100</Weight>
    <FailOverRules>
      <Rule>
        <Protocol>PING</Protocol>
        <IPAddress>8.8.8.8</IPAddress>
        <Port>*</Port>
        <Condition>AND</Condition>
      </Rule>
      <Rule>
        <Protocol>PING</Protocol>
        <IPAddress>1.1.1.1</IPAddress>
        <Port>*</Port>
        <Condition>AND</Condition>
      </Rule>
    </FailOverRules>
  </Gateway>
</GatewayConfiguration>

CAn you please let me know what should be edited in this config file? And how should it be again imported?

It's not a config file that just anyone can use. We created our own template by setting up a firewall, then doing an export (NOT a backup). Then we unzipped the .tar file, pruned the Entities.xml file inside it to include only what we need, re-zipped it into a .tar file, and imported that (NOT restored) into new firewalls.

I had to change our values in the Entities.xml file, as described in steps 1-4.

If you're not sure what to change, then you're probably best off not using a template for those sections. If you already used a template and you're having this issue, you're best off just deleting the interfaces entirely in the GUI and re-creating them.

Hello Joshua, Advait,

I believe you might be facing one already reported issue (NC-100250) which is fixed in 19.5-GA which is already released (and 19.0-MR2 which is yet to be released.)

Would you please upgrade to 19.5-GA and share your feedback?

Regards,

Sanket Shah

Hello Sanket,

I'm already on SFOS 19.5.0 GA-Build197.

Hello Sanket,

I'm already on SFOS 19.5.0 GA-Build197.

Hello Joshua, Advait,

As Vishal, mentioned earlier, gateway and their monitoring are different but dependent object . If xml is manually edited there is a chance to break the dependency and create inconsistent DB which can break regular UI-workflow. In this particular case, interface update workflow is taken, however gateway update workflow is incorrect which was causing this issue. 

Even on 19.5, this will be the case. However, correct xml will definitely work. 

It is advisable to rather use complete import for export rather than manual editing to prevent such mistakes.

Hi Advait, Joshua,

Thank you for reporting this issue. As mentioned by Sanket earlier 'Failover rule update failure'  is due to Jira NC-100250. 

Additional fix to get issue auto-fixed on migration will be available as part of NC-112370 in future release.

Pls refer this post as well: community.sophos.com/.../wan-link-manager-shows-wan-down-but-in-reality-its-up

HTH

Moheed