https://live.paloaltonetworks.com/t5/general-topics/schedule-security-rules/m-p/509509#M106067 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/171718">@TerryZhou</a>&nbsp;</P> <P>Unfortunately that is correct - if sessions are established during the business hours, they will continue to run even after the schedule expire and will not use the second rule with schedule active for out of business hours.</P> <P>&nbsp;</P> <P>However you can force policy lookup and those existing sessions to match the "out of business hours" rule.</P> <P>In order to do that you need to force a commit with "Rematch Session" setting enabled under Device -&gt; Setup -&gt; Session</P> <P>A commit with "rematch session" will force new policy lookup for currently active sessions. And since the "business hours" rule has expired traffic will match the "out of business hours" rule.</P> <P>&nbsp;</P> <P>Few ways to trigger commit:</P> <P>- Manually you can use "commit force" - since no change between running and candidate config, you need to use force</P> <P>- If you running Panorama 10.1 and above you can schedule push from Panorama -&gt; Schedule Config Push</P> <P>- Using scripting magic and API to automate commit force at specific time</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 21 Jul 2022 16:28:42 GMT aleksandar.astardzhiev 2022-07-21T16:28:42Z https://live.paloaltonetworks.com/t5/general-topics/schedule-security-rules/m-p/509453#M106058 <P>I have 2 security rules, one needs to run office hours and one needs to run non-office hours. If the tcp session remains (not closed) can the same traffic use different security rules based on time ? or because the tcp session remains and it will stick with the current rule and never use the other security rule even the time changes?</P> Thu, 21 Jul 2022 05:17:32 GMT https://live.paloaltonetworks.com/t5/general-topics/schedule-security-rules/m-p/509453#M106058 TerryZhou 2022-07-21T05:17:32Z https://live.paloaltonetworks.com/t5/general-topics/schedule-security-rules/m-p/509509#M106067 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/171718">@TerryZhou</a>&nbsp;</P> <P>Unfortunately that is correct - if sessions are established during the business hours, they will continue to run even after the schedule expire and will not use the second rule with schedule active for out of business hours.</P> <P>&nbsp;</P> <P>However you can force policy lookup and those existing sessions to match the "out of business hours" rule.</P> <P>In order to do that you need to force a commit with "Rematch Session" setting enabled under Device -&gt; Setup -&gt; Session</P> <P>A commit with "rematch session" will force new policy lookup for currently active sessions. And since the "business hours" rule has expired traffic will match the "out of business hours" rule.</P> <P>&nbsp;</P> <P>Few ways to trigger commit:</P> <P>- Manually you can use "commit force" - since no change between running and candidate config, you need to use force</P> <P>- If you running Panorama 10.1 and above you can schedule push from Panorama -&gt; Schedule Config Push</P> <P>- Using scripting magic and API to automate commit force at specific time</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 21 Jul 2022 16:28:42 GMT https://live.paloaltonetworks.com/t5/general-topics/schedule-security-rules/m-p/509509#M106067 aleksandar.astardzhiev 2022-07-21T16:28:42Z https://live.paloaltonetworks.com/t5/general-topics/schedule-security-rules/m-p/509547#M106074 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/171718">@TerryZhou</a>,</P> <P>Rather than forcing a commit as&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>&nbsp;suggested (this 100% works), I personally recommend scripting a session drop for anything matching the scheduled entry instead. This has an added benefit of not triggering a commit on a schedule in the event someone hasn't completely finished a change on the firewall, along with not failing if someone holds a lock or the config is invalid when the auto commit attempts to run.&nbsp;</P> <LI-CODE lang="markup">/api/?type=op&amp;cmd=&lt;clear&gt;&lt;session&gt;&lt;all&gt;&lt;filter&gt;&lt;rule&gt;[MyRule]&lt;/rule&gt;&lt;/filter&gt;&lt;/all&gt;&lt;/session&gt;&lt;/clear&gt;&amp;key=[key] # Replace [key] with API Key # Replace [MyRule] with name of scheduled entry</LI-CODE> Thu, 21 Jul 2022 22:16:50 GMT https://live.paloaltonetworks.com/t5/general-topics/schedule-security-rules/m-p/509547#M106074 BPry 2022-07-21T22:16:50Z