SRX policy-rematch

Today I played with policies in SRX and made a policy change which is supposed to block SSH traffic from internal clients to outside networks. I made the change and committed the configuration but I saw that my SSH connection was still alive and connection wasn’t dropped. However when I disconnect and try to reconnect, I notice that new connections aren’t allowed. This led me to think that any change made is valid only for new sessions not current ones.

Then I checked packet flow diagram of SRX devices and immediately recalled that already established sessions are taking the Fast Path in which there isn’t policy check mentioned.

If you want to change this behaviour anyway, there is a handy option named policy-rematch e.g

[edit security policies]
user@host# set policy-rematch
user@host#commit

once this option is enabled, any change made will also affect the current sessions in place in addition to the new ones.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


One thought on “SRX policy-rematch”

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading