Knowledge Search


×
 

[SRX] Renaming a policy closes sessions associated with the policy

  [KB28413] Show Article Properties


Summary:

This article explains how an active session associated with a re-named policy is closed and removed upon committing.

Symptoms:

When a policy is renamed, all the associated sessions are closed and removed from active session table.

Cause:

The device treats a policy rename change as a deletion and addition of a new policy, causing all the associated sessions with the old policy name to be torn down.

Solution:

Here is an example where a policy permitting SSH is renamed during an active SSH session.

Before the policy lan-internet is renamed, we see a session in progress:


[edit]
root@SRX> show security flow session
Session ID: 100419, Policy name: lan-internet/7, Timeout: 1796, Valid
In: 2.2.2.1/64245 --> 1.1.1.1/22;tcp, If: ge-0/0/8.0, Pkts: 66, Bytes: 5617
Out: 1.1.1.1/22 --> 2.2.2.1/64245;tcp, If: ge-0/0/9.0, Pkts: 113, Bytes: 12453
Total sessions: 1

Policy is then renamed from lan-internet to from-lan.

root@SRX# show | compare
[edit security policies from-zone lan to-zone internet]
+ policy from-lan {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
- policy lan-internet {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }

[edit]
root@SRX#commit and-quit
commit complete
Exiting configuration mode

Upon review of session we see that the session is no longer active or in table.

[edit]
root@SRX> show security flow session
Total sessions: 0


Note: Usage or non-usage of policy-rematch has no impact on this behavior
Related Links: