09-26-2014 02:07 AM
Hi,
We are running a PA500 box with software at ver 6.0.4. at a boarding school.
At a certain time during the night we need to switch off internet access completely (so the students get som sleep before next day). When we do this using schedules in security policies I understand it only denies the creation of new sessions. Ongoing sessions will continue to flow until they are closed by the client. Am I correct ?
As you might understand I'm looking for a way to simply 'cut off' everything at a scheduled time. If PA interfaces could be disabled / enabled using a schedule that would be nice, but they can't. In I see the point that users can lock themselves out...
But how can I achieve what I need? Can I issue an external CLI command to disable an interface and enable it shortly after (I assume that ongoing sessions will timeout rather soon if the interface is switched off for 15 minutes or so)...?
Thanks a lot for comments and suggestions to remedy this situation
best regards
Tor
09-26-2014 02:32 AM
Hi Tor
you could run an API that clears all the open sessions at the cutoff time:
https://x.x.x.x/api/?REST_API_TOKEN=<token>&type=op&cmd=<clear><session><all></all></session></clear>
you can also add a filter for the rule so you only clear that traffic:
<clear><session><all><filter><rule>internet_for_students</rule></filter></all></session></clear>
09-26-2014 03:09 AM
Hi, and thanks a lot for this tip.
Can I enter a command like this as some 'scheduled task' in the PA500 box so it runs by itself every night?
09-26-2014 03:12 AM
Hi Tor
You'd need to run this off of an external device as you can't enter scheduled tasks on the firewall
09-26-2014 07:33 AM
Hi IKT,
There is no way to enable or disable interfaces on schedule via configurable option.
However, you can pass this information via script or XML API. Which means run a CRON on linux server to run those scripts which can enable or disable interfaces.
Regards,
Hardik Shah
09-26-2014 08:20 AM
When we do this using schedules in security policies I understand it only denies the creation of new sessions. Ongoing sessions will continue to flow until they are closed by the client. Am I correct ?
I am not sure about that.Rematch sessions should solve that for most.
Here is the explanation from help :
"For example, assume that Telnet was previously allowed and then changed to Deny in the last commit. The default behavior is for any Telnet sessions that were started before the commit to be rematched and blocked."
09-26-2014 08:23 AM
How to Schedule Policy Actions
from that document
Note: Sessions begun prior to the scheduled start time will not be affected by the policy if session rematch is not enabled (Device > Setup > Session)
09-26-2014 11:50 AM
Panos: The Rematch Session property only works when policy changes are committed, not at schedule transitions. This is specifically stated in 6.0.4. Unfortunately 😐
09-26-2014 11:52 AM
Quote hshah: "However, you can pass this information via script or XML API. Which means run a CRON on linux server to run those scripts which can enable or disable interfaces."
That would be nice. How would that linux script look like in detail? I would like to try that, but I have never used PanOS API scripts...
regards Tor
09-26-2014 12:26 PM
then you can commit force at that time.
09-26-2014 12:54 PM
I tested this
did not work either.
09-26-2014 01:15 PM
Hi IKT,
I am not a script guy, but if any one knows script it can be written in 30 minutes or so.
Regards,
Hardik Shah
09-27-2014 05:16 AM
Does anyone know if a feature request is in to have the sessions rematched when a schedule is applied?
09-28-2014 11:50 PM
No, I don't think so.
How do I check and / or whom do I convince to append it to the list 🙂
Tor
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
