This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

schedule security rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

schedule security rules

TerryZhou
L0 Member

‎07-20-2022 10:17 PM

I have 2 security rules, one needs to run office hours and one needs to run non-office hours. If the tcp session remains (not closed) can the same traffic use different security rules based on time ? or because the tcp session remains and it will stick with the current rule and never use the other security rule even the time changes?

0 Likes Likes
2 REPLIES 2

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎07-21-2022 09:28 AM

Hi @TerryZhou 

Unfortunately that is correct - if sessions are established during the business hours, they will continue to run even after the schedule expire and will not use the second rule with schedule active for out of business hours.

 

However you can force policy lookup and those existing sessions to match the "out of business hours" rule.

In order to do that you need to force a commit with "Rematch Session" setting enabled under Device -> Setup -> Session

A commit with "rematch session" will force new policy lookup for currently active sessions. And since the "business hours" rule has expired traffic will match the "out of business hours" rule.

 

Few ways to trigger commit:

- Manually you can use "commit force" - since no change between running and candidate config, you need to use force

- If you running Panorama 10.1 and above you can schedule push from Panorama -> Schedule Config Push

- Using scripting magic and API to automate commit force at specific time

 

 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎07-21-2022 03:16 PM

@TerryZhou,

Rather than forcing a commit as @aleksandar.astardzhiev suggested (this 100% works), I personally recommend scripting a session drop for anything matching the scheduled entry instead. This has an added benefit of not triggering a commit on a schedule in the event someone hasn't completely finished a change on the firewall, along with not failing if someone holds a lock or the config is invalid when the auto commit attempts to run. 

/api/?type=op&cmd=<clear><session><all><filter><rule>[MyRule]</rule></filter></all></session></clear>&key=[key]

# Replace [key] with API Key

# Replace [MyRule] with name of scheduled entry
(1)
  • 1490 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks