OK, I have found the issue in our configuration. Two new known network zones have been added, Privat eand Public. Private is marked as public. You have to go back through the Network profiles and include the se zones in any allow or block rules as required. Otherwise you end up with the scenario we had. We had a profile which blocked all traffic apart from vpn access on non trusted networks (we had added a set of trusted networks). The new firewall zones allowed all traffic to pass apart from our vpn, so basically reversed the protection we had configured. I think that any change to the firewall like this should come with a detailed warning that it will break your configuration.