SRX policy-rematch

Today I played with policies in SRX and made a policy change which is supposed to block SSH traffic from internal clients to outside networks. I made the change and committed the configuration but I saw that my SSH connection was still alive and connection wasn’t dropped. However when I disconnect and try to reconnect, I notice that new connections aren’t allowed. This led me to think that any change made is valid only for new sessions not current ones.

Then I checked packet flow diagram of SRX devices and immediately recalled that already established sessions are taking the Fast Path in which there isn’t policy check mentioned.

If you want to change this behaviour anyway, there is a handy option named policy-rematch e.g

once this option is enabled, any change made will also affect the current sessions in place in addition to the new ones.

One thought on “SRX policy-rematch

You have a feedback?