Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Renaming a policy closes sessions associated with the policy

0

0

Article ID: KB28413 KB Last Updated: 24 Dec 2013Version: 1.0
Summary:

This article explains how an active session associated with a re-named policy is closed and removed upon committing.

Symptoms:

When a policy is renamed, all the associated sessions are closed and removed from active session table.

Cause:

The device treats a policy rename change as a deletion and addition of a new policy, causing all the associated sessions with the old policy name to be torn down.

Solution:

Here is an example where a policy permitting SSH is renamed during an active SSH session.

Before the policy lan-internet is renamed, we see a session in progress:


[edit]
root@SRX> show security flow session
Session ID: 100419, Policy name: lan-internet/7, Timeout: 1796, Valid
In: 2.2.2.1/64245 --> 1.1.1.1/22;tcp, If: ge-0/0/8.0, Pkts: 66, Bytes: 5617
Out: 1.1.1.1/22 --> 2.2.2.1/64245;tcp, If: ge-0/0/9.0, Pkts: 113, Bytes: 12453
Total sessions: 1

Policy is then renamed from lan-internet to from-lan.

root@SRX# show | compare
[edit security policies from-zone lan to-zone internet]
+ policy from-lan {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
- policy lan-internet {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }

[edit]
root@SRX#commit and-quit
commit complete
Exiting configuration mode

Upon review of session we see that the session is no longer active or in table.

[edit]
root@SRX> show security flow session
Total sessions: 0


Note: Usage or non-usage of policy-rematch has no impact on this behavior
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search