Discard Session Rematch
35649
Created On 09/26/18 13:49 PM - Last Modified 02/08/21 22:02 PM
Symptom
Environment
- Palo Alto Firewall.
- PAN-OS 8.1 and above.
- Rematch Sessions.
Cause
The session will still stay in the DISCARD state, as the current logic will only rematch ALLOW sessions. PAN-OS will not process and change the DISCARD state of the existing session. Any future sessions will be allowed and will not be discarded.
Resolution
If the packets are still hitting the existing DISCARD session, clear that session to allow the new one with the following command:
> clear session <session id>
Note: The session id is got from using the command "show session all" and matching the source destination addresses. port numbers and protocol. One can verify by following "show session id <id #>"
Additional Information
How Session Rematch Works