How Session Rematch Works
This document describes how session rematch works on a Palo Alto Networks firewall.
A change is made to a security policy and a commit is performed. If session rematch is enabled, then the firewall will go through all the existing sessions and apply the new security policy to any matching traffic.
From the WebGUI, go to Device > Setup > Session, the Rematch Sessions setting is found on this page:
Note: Rematch Sessions is enabled by default for PAN-OS 5.0 and above.
The following example illustrates the behavior when Rematch Sessions is enabled.
Shown below is the original Security Policy:
The original session is shown below:
Shown below is the Security Policy:
The session after a policy change and commit:
Notice that as soon as the the commit took place, the session was rematched to the new policy and changed to the discard state from active.