Scheduler should cut off sessions immediately

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Scheduler should cut off sessions immediately

L3 Networker

Hi,

We have set a schedule on some security policies, but at the moment the schedule should switch off the traffic it seems that live sessions are not immediately denied,  The scheduler only prohibits the creation of new sessions.  Is this true? 

We are on 5.0.4 witgh our PA500 box and I wonder if I can configure the scheduler to immediately cut off ALL the policy's traffic at the schedule's switch off moment.

Thanks for comments and advice on this

regards Tor

1 accepted solution

Accepted Solutions

L7 Applicator

Hello Sir,

As per my understanding, a continuous session, that was previously initiated during the permit time should not block when the allowed schedule runs out. Until and unless, if you enable "rematch sessions" and then commit the configuration, then only existing sessions would be rematched to policy (and blocked in this case if the schedule dictates that action).


Policy-rematch.JPG.jpg


If "rematch session" is enabled in your firewall, then you can remove for the time being and test the result.

I hope this helps.


Thanks

View solution in original post

3 REPLIES 3

L7 Applicator

Hello Sir,

As per my understanding, a continuous session, that was previously initiated during the permit time should not block when the allowed schedule runs out. Until and unless, if you enable "rematch sessions" and then commit the configuration, then only existing sessions would be rematched to policy (and blocked in this case if the schedule dictates that action).


Policy-rematch.JPG.jpg


If "rematch session" is enabled in your firewall, then you can remove for the time being and test the result.

I hope this helps.


Thanks

Thanks for your response.  The Rematch Sessions was actually checked in my case, but despite that a lot of traffic is going on through the rule which is actually scheduled to switch off hours before.  However all these log entries are of 'Type' 'end'.  Does this mean that a user can continue using his Facebook session for hours after the policy allowing it is actually switched off by a schedule?

Would the same 'negligence' of ongoing sessions apply if I create a deny rule scheduled the opposite way?  (I.e. that it starts to deny at the moment the daytime allow rule is switched off by a schedule).

If my PA box is not capable of enforcing schedules in an effective way I simply have to set a scheduled power switch on the distribution switches from the two firewall interfaces in question.  I never thought I would have to do that having a such expensive box and licenses as my PA equipment.....

regards Tor

Hello Sir,

In the case of Deny rules, the traffic is denied immediately when it matches the criterion defined in the security policy so the start and end of the session should be the same. As such you'd be fine, just logging at the start of a Deny policy. You'd not have to wait for the FIN/ FIN ACK to determine the end of the session. So, for a deny rule (I.e. that it starts to deny at the moment the daytime allow rule is switched off by a schedule) will not be able to close/deny for an ongoing session, untill and unless you are applying a "commit force" command or enforcing "session rematch".


So, as per my understanding the scheduler policy will be applied to a newly created session, nor for a running session through the PAN firewall. As per my understanding, most of the leading vendor firewall is working like this. ( Example- PAN, Juniper SRX).


If you have any further questions or inquiries, please open a case with PAN support, we will help you to fulfill your requirements.


Thanks


Please mark as correct answer or helpful if appropriate.

  • 1 accepted solution
  • 2817 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!