Some NAT Rules using service definition ANY no longer work as of 7 300
Firewall has DNAT/SNAT rules which specify the "Any" service definition in the Traffic Service field, and also specify something in the Destination Service field. Prior to 7.300, this rule was functioning, but after upgrading to 7.300, the rule is disabled. Re-enabling it fails, and highlights the Traffic Service field.
Applies to the following Sophos Product and version
Sophos UTM Software Appliance
The Any service definition represents any packet, regardless of protocol. When specifying something as a destination service, and Any as the original service, this may be asking the device to translate packets between protocols, which is impossible. For instance, with the example rule below:
Traffic Source: Any Traffic Service: --> Any <-- Traffic Destination: External(Address) NAT Mode: DNAT Destination: Internal_Server Destination Service: --> HTTP <--
The above example is only logical for TCP traffic, since the destination service is HTTP.
However, the source section would also apply to ICMP ping packets, and the above rule is asking that they be translated to TCP port 80 packets, which is impossible.
What to do
If you are specifying "Any" as the destination service, then click the orange recycle box icon to clear that field, and hit save. The rule can now be enabled, and will work as before. If you are specifying a destination port, you must create a new service to replace the use of Any. Service Type: TCP/UDP (Can also be just TCP or UDP if that is all that is needed)
Destination Port:--> 1:65535 <-- Source Port: 1:65535