schedule security rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

schedule security rules

L0 Member

I have 2 security rules, one needs to run office hours and one needs to run non-office hours. If the tcp session remains (not closed) can the same traffic use different security rules based on time ? or because the tcp session remains and it will stick with the current rule and never use the other security rule even the time changes?

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @TerryZhou 

Unfortunately that is correct - if sessions are established during the business hours, they will continue to run even after the schedule expire and will not use the second rule with schedule active for out of business hours.

 

However you can force policy lookup and those existing sessions to match the "out of business hours" rule.

In order to do that you need to force a commit with "Rematch Session" setting enabled under Device -> Setup -> Session

A commit with "rematch session" will force new policy lookup for currently active sessions. And since the "business hours" rule has expired traffic will match the "out of business hours" rule.

 

Few ways to trigger commit:

- Manually you can use "commit force" - since no change between running and candidate config, you need to use force

- If you running Panorama 10.1 and above you can schedule push from Panorama -> Schedule Config Push

- Using scripting magic and API to automate commit force at specific time

 

 

Cyber Elite
Cyber Elite

@TerryZhou,

Rather than forcing a commit as @Astardzhiev suggested (this 100% works), I personally recommend scripting a session drop for anything matching the scheduled entry instead. This has an added benefit of not triggering a commit on a schedule in the event someone hasn't completely finished a change on the firewall, along with not failing if someone holds a lock or the config is invalid when the auto commit attempts to run. 

/api/?type=op&cmd=<clear><session><all><filter><rule>[MyRule]</rule></filter></all></session></clear>&key=[key]

# Replace [key] with API Key

# Replace [MyRule] with name of scheduled entry
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!