Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 62 replies
  • Answers 2 answers
  • Subscribers 13 subscribers
  • Views 65159 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade to UTM 9.601-5 firmware doesn't start FW NAT rules on boot

Daniel Huhardeaux

Hi,

I got information from my UTM that a new firmware 9.601-5 was available. I installed it and after reboot I discover that all my NAT rules where not activated ! I had to go on each one and disable/enable them to get back the working setup :(

I did it with some of them and then reboot the UTM: again rules where not applied. Disable/enable them and evrything is OK.

For some rules I didn't apply the "automatic firewall rules" in GUI but had create myself the FW rules: those NAT rules where activated. But for NAT rules with forwarding ports to other physical hosts but *not the host himself and the VMs running on it where the UTM lies* doesn't matter which setup (manual or automatically), I have to activate "automatic FW rules" and disable/enable the rules to get them working.

No need to say that prior firmware versions didn't had this problem.

Does anyone face the same problem and confirm?

Daniel



This thread was automatically locked due to age.
  • 0

    Issue still present in release of 9.7

    As a reseller/partner I lodged a support request with Sophos AU that "This was supposed to be fixed in 9.7 - I have just updated some client devices to 9.700-5 and this issue is still present in these devices" -

     

    I heard back 6 days later :

     "Appreciate your patience we checked as mentioned in the KB the issue will be resolved in the UTM firmware version 9.7  which is already released. Would request you to please update the firmware version to 9.7 to resolve the issue"

     

    So, nothing done yet - and I am not sure why they think it's fixed,  when it clearly isn't.   

    Grant

  • 0 in reply to Daniel Huhardeaux

    Salut Daniel,

    Are you saying that the issue is the automatic firewall rule?  Do you see a default drop in the Firewall log (the KB article is misleading for the reasons I mention in the ?  If you look at the automatic rule on the 'Firewall' 'Rules' tab, does everything seem to be correct?  At the command line, is the 'status' of the rule 1?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

    yes, on automatic FW rules and yes, everything is OK in the 'Rules' tab (remember, it was working before I opened this thread connected to the 9-601-5 upgrade).

    This WE I upgraded an software UTM to 9.7-5 and problem disappears. Only thing is that after startup, it takes few minutes before rules are applied. I will check on the others I have not yet upgraded to confirm this.

    Daniel

  • 0

    Just an update :

    After being told by Sophos SUpport AU 7-Nov that this was resolved in 9.700-5 and then confirming with them is wasn't actually fixed,  I heard back from Support a few more weeks later 5-Dec:

     

    "

    I did some more research on this case and found it to be published already in the known issues list for the UTM with ID : NUTM-11201

    This issue should be fixed in the 9.701 MR1 which most probably gonna release in this month though no any exact date provided.

    Please refer below known issue list details 

    "

    So it seems 9.701 MR1 will contain the "real" fix

     

    Is there any publicly accessible FTP site that has earliest accessto UTM updates?   Can resellers join a beta program to access such?

     

    GrantAU

  • 0 in reply to GrantAU

    Nothing special for us, Grant.  The availability for download prior to release will be announced here and in 'RELEASE NOTES & NEWS' at the top.  Tips & Tricks - How to Participate Efficiently Here might interest you.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Daniel Huhardeaux

    Daniel Huhardeaux said:
    This WE I upgraded an software UTM to 9.7-5 and problem disappears. Only thing is that after startup, it takes few minutes before rules are applied. I will check on the others I have not yet upgraded to confirm this.

    I understand what happends: problem is NOT solved and there is no delay. To get it work you only need to disable/re-enable one rule and automagically all others are applied ! Doesn't matter which one you treat.

    Daniel

  • 0 in reply to Daniel Huhardeaux

    Hello Daniel,

     

    I've just updated my Sophos routers with firmware 9.700-5 and the problem is not solved.

    My worries is about NAT and FW rules that do not impact users behaviour directly who usually come to me to point out a malfunction. I mean ports like Pyzor, Razor, Spamassassin, ... that may be inactive and do not block the use of services but, in this example, takes my mail server out of date.

    I have so many rules and routers that I should disable/enable each of them to be sure none remain enabled but inactive.

    Saïd

  • 0 in reply to SAID NIAZI

    SAID NIAZI said:

    I have so many rules and routers that I should disable/enable each of them to be sure none remain enabled but inactive.

     

    As I ponted in my previous message, no need to go over each rule: disabling/enabling just one of them and all is good.

     

    Daniel

  • 0

    This does appear to have been fixed in rev 9.701-6 rel 23-Jan-2020  (I believe this is the official issue number : NUTM-10963)

    I have not been offered this via Up2Date on my personal UTM as of this writing;   however I noticed a client's UTM received it today and their NAT came back after applying and rebooting. So I immediately downloaded it from the Sophos FTP and manually applied it - after the reboot all my NAT rules were working!!  No need to STOP/START one NAT rule to get them all working again - hoorah!  

    Now just waiting for all my other clients to be offered this via Up2Date so I can install it globally.

     

    Only 9 or 10 months for Sophos fix - there must only be a few dozen folks using Sophos UTM with NAT using Auto Firewall Rules, and I was unlucky enough to be one of them :-0

     

    Cheers all,

    GrantAU

  • 0 in reply to GrantAU

    Good news ! I will check this later on my side because we can't install it for now. I will keep you in touch.

    Regards,

    DeltaSM

Unfiltered HTML