This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Scheduler should cut off sessions immediately

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Scheduler should cut off sessions immediately

Go to solution
LCMember4427
L3 Networker

‎01-15-2014 05:41 AM

Hi,

We have set a schedule on some security policies, but at the moment the schedule should switch off the traffic it seems that live sessions are not immediately denied,  The scheduler only prohibits the creation of new sessions.  Is this true? 

We are on 5.0.4 witgh our PA500 box and I wonder if I can configure the scheduler to immediately cut off ALL the policy's traffic at the schedule's switch off moment.

Thanks for comments and advice on this

regards Tor

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
HULK
L7 Applicator

‎01-15-2014 06:54 AM

Hello Sir,

As per my understanding, a continuous session, that was previously initiated during the permit time should not block when the allowed schedule runs out. Until and unless, if you enable "rematch sessions" and then commit the configuration, then only existing sessions would be rematched to policy (and blocked in this case if the schedule dictates that action).


Policy-rematch.JPG.jpg


If "rematch session" is enabled in your firewall, then you can remove for the time being and test the result.

I hope this helps.


Thanks

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
HULK
L7 Applicator

‎01-15-2014 06:54 AM

Hello Sir,

As per my understanding, a continuous session, that was previously initiated during the permit time should not block when the allowed schedule runs out. Until and unless, if you enable "rematch sessions" and then commit the configuration, then only existing sessions would be rematched to policy (and blocked in this case if the schedule dictates that action).


Policy-rematch.JPG.jpg


If "rematch session" is enabled in your firewall, then you can remove for the time being and test the result.

I hope this helps.


Thanks

0 Likes Likes

Go to solution
LCMember4427
L3 Networker
In response to HULK

‎01-16-2014 12:04 AM

Thanks for your response.  The Rematch Sessions was actually checked in my case, but despite that a lot of traffic is going on through the rule which is actually scheduled to switch off hours before.  However all these log entries are of 'Type' 'end'.  Does this mean that a user can continue using his Facebook session for hours after the policy allowing it is actually switched off by a schedule?

Would the same 'negligence' of ongoing sessions apply if I create a deny rule scheduled the opposite way?  (I.e. that it starts to deny at the moment the daytime allow rule is switched off by a schedule).

If my PA box is not capable of enforcing schedules in an effective way I simply have to set a scheduled power switch on the distribution switches from the two firewall interfaces in question.  I never thought I would have to do that having a such expensive box and licenses as my PA equipment.....

regards Tor

0 Likes Likes

Go to solution
HULK
L7 Applicator
In response to LCMember4427

‎01-16-2014 12:41 AM

Hello Sir,

In the case of Deny rules, the traffic is denied immediately when it matches the criterion defined in the security policy so the start and end of the session should be the same. As such you'd be fine, just logging at the start of a Deny policy. You'd not have to wait for the FIN/ FIN ACK to determine the end of the session. So, for a deny rule (I.e. that it starts to deny at the moment the daytime allow rule is switched off by a schedule) will not be able to close/deny for an ongoing session, untill and unless you are applying a "commit force" command or enforcing "session rematch".


So, as per my understanding the scheduler policy will be applied to a newly created session, nor for a running session through the PAN firewall. As per my understanding, most of the leading vendor firewall is working like this. ( Example- PAN, Juniper SRX).


If you have any further questions or inquiries, please open a case with PAN support, we will help you to fulfill your requirements.


Thanks


Please mark as correct answer or helpful if appropriate.

  • 1 accepted solution
  • 2470 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks