SRX

Expand all | Collapse all

Does existing sessions timeout if the policy for the same is deleted

  • 1.  Does existing sessions timeout if the policy for the same is deleted

    Posted 29 days ago

    I have an application which continues to send traffic between the source and destination as long as the current session is not interrupted. This application was running using an any any rule between 2 zones. Due to some security concerns the rule was deleted 6 months back. All of a sudden one day service owner is coming and telling us that the application is not working. On checking we found that the policy is not there in place. We installed a new policy and issue got fixed. Even the application logs are telling that the communication stopped only recently ie. after 6 months.

     

    Question// If we remove a policy for which an existing session with continuous traffic is there, existing session will be removed or not?. If not removed do we need to manually clear the existing sessions?



  • 2.  Re: Does existing sessions timeout if the policy for the same is deleted

    Posted 29 days ago

    To solve this you have to enable "policy-rematch" under security policies... otherwise existing sessions are kept open until they time out. Enabling policy-rematch existing sessions will be reevaluated with the newly updated ruleset.

     

    Ref. https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-policy-rematch.html



  • 3.  Re: Does existing sessions timeout if the policy for the same is deleted

    Posted 27 days ago

    @jonashauge Its seems delete policy operation will make sure that existing sessions are re-checked under all scenarios whereas policy re-match will be beneficial for session rechecking when any modification of the policy(deletion, renaming ,adding new configs inside existing policy) will happen.  Considering this there is no possible way in which an existing session can survive policy deletion. This will tear any existing session that matches the policy instantaneously(Since there are no other policies to permit that specific traffic).