topic Re: Scheduler should cut off sessions immediately in General Topics

Scheduler should cut off sessions immediately

LCMember4427 — Wed, 15 Jan 2014 13:41:38 GMT

Hi,

We have set a schedule on some security policies, but at the moment the schedule should switch off the traffic it seems that live sessions are not immediately denied, The scheduler only prohibits the creation of new sessions. Is this true?

We are on 5.0.4 witgh our PA500 box and I wonder if I can configure the scheduler to immediately cut off ALL the policy's traffic at the schedule's switch off moment.

Thanks for comments and advice on this

regards Tor

Re: Scheduler should cut off sessions immediately

HULK — Wed, 15 Jan 2014 14:54:40 GMT

Hello Sir,

As per my understanding, a continuous session, that was previously initiated during the permit time should not block when the allowed schedule runs out. Until and unless, if you enable "rematch sessions" and then commit the configuration, then only existing sessions would be rematched to policy (and blocked in this case if the schedule dictates that action).

If "rematch session" is enabled in your firewall, then you can remove for the time being and test the result.

I hope this helps.

Thanks

Re: Scheduler should cut off sessions immediately

LCMember4427 — Thu, 16 Jan 2014 08:04:15 GMT

Thanks for your response. The Rematch Sessions was actually checked in my case, but despite that a lot of traffic is going on through the rule which is actually scheduled to switch off hours before. However all these log entries are of 'Type' 'end'. Does this mean that a user can continue using his Facebook session for hours after the policy allowing it is actually switched off by a schedule?

Would the same 'negligence' of ongoing sessions apply if I create a deny rule scheduled the opposite way? (I.e. that it starts to deny at the moment the daytime allow rule is switched off by a schedule).

If my PA box is not capable of enforcing schedules in an effective way I simply have to set a scheduled power switch on the distribution switches from the two firewall interfaces in question. I never thought I would have to do that having a such expensive box and licenses as my PA equipment.....

regards Tor

Re: Scheduler should cut off sessions immediately

HULK — Thu, 16 Jan 2014 08:41:38 GMT

Hello Sir,

In the case of Deny rules, the traffic is denied immediately when it matches the criterion defined in the security policy so the start and end of the session should be the same. As such you'd be fine, just logging at the start of a Deny policy. You'd not have to wait for the FIN/ FIN ACK to determine the end of the session. So, for a deny rule (I.e. that it starts to deny at the moment the daytime allow rule is switched off by a schedule) will not be able to close/deny for an ongoing session, untill and unless you are applying a "commit force" command or enforcing "session rematch".

So, as per my understanding the scheduler policy will be applied to a newly created session, nor for a running session through the PAN firewall. As per my understanding, most of the leading vendor firewall is working like this. ( Example- PAN, Juniper SRX).

If you have any further questions or inquiries, please open a case with PAN support, we will help you to fulfill your requirements.

Thanks

Please mark as correct answer or helpful if appropriate.