https://live.paloaltonetworks.com/t5/general-topics/opened-session-remains-after-threat-triggered-block-ip-wtf/m-p/142109#M48490 <P>Hi, I've been testing the block-ip action in spyware DNS signatures. I was an RDP session before the threat triggered the block-ip action. Then, no more connections are allowed (what is OK), but the RDP session remains open.</P><P>&nbsp;</P><P>Is this a normal behaviour? I think the FW should reset all the sessions previosly established for the blocked IP, shouldn't it?</P><P>&nbsp;</P><P>Thanks!</P> Thu, 09 Feb 2017 13:07:31 GMT ACortes 2017-02-09T13:07:31Z https://live.paloaltonetworks.com/t5/general-topics/opened-session-remains-after-threat-triggered-block-ip-wtf/m-p/142109#M48490 <P>Hi, I've been testing the block-ip action in spyware DNS signatures. I was an RDP session before the threat triggered the block-ip action. Then, no more connections are allowed (what is OK), but the RDP session remains open.</P><P>&nbsp;</P><P>Is this a normal behaviour? I think the FW should reset all the sessions previosly established for the blocked IP, shouldn't it?</P><P>&nbsp;</P><P>Thanks!</P> Thu, 09 Feb 2017 13:07:31 GMT https://live.paloaltonetworks.com/t5/general-topics/opened-session-remains-after-threat-triggered-block-ip-wtf/m-p/142109#M48490 ACortes 2017-02-09T13:07:31Z https://live.paloaltonetworks.com/t5/general-topics/opened-session-remains-after-threat-triggered-block-ip-wtf/m-p/142135#M48495 <P>Hi</P> <P>&nbsp;</P> <P>with the block-ip action set, the malicious session will be terminated and any new sessions will be blocked before they are created, but existing sessions could remain open as they were established before the malicious event.</P> <P>scanning on this active session will continue and if any malicious packets are identified in that session, it will also be terminated</P> Thu, 09 Feb 2017 14:38:21 GMT https://live.paloaltonetworks.com/t5/general-topics/opened-session-remains-after-threat-triggered-block-ip-wtf/m-p/142135#M48495 reaper 2017-02-09T14:38:21Z