SRX policy-rematch

Today I played with policies in SRX and made a policy change which is supposed to block SSH traffic from internal clients to outside networks. I made the change and committed the configuration but I saw that my SSH connection was still alive and connection wasn’t dropped. However when I disconnect and try to reconnect, I notice that new connections aren’t allowed. This led me to think that any change made is valid only for new sessions not current ones.

Then I checked packet flow diagram of SRX devices and immediately recalled that already established sessions are taking the Fast Path in which there isn’t policy check mentioned.

If you want to change this behaviour anyway, there is a handy option named policy-rematch e.g

[edit security policies]
user@host# set policy-rematch
user@host#commit

once this option is enabled, any change made will also affect the current sessions in place in addition to the new ones.

About: rtoodtoo

Genco has worked for more than 10 years as a Network/Support Engineer. He is also interested in Python, Linux, Security and SD-WAN, currently lives in the Netherlands and works as a Network Support Engineer at Tesla Inc. // JNCIE-SEC #223 / RHCE / PCNSE


One thought on “SRX policy-rematch”

Leave a Reply to Jeff Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.