How Session Rematch Works
50044
Created On 09/25/18 19:21 PM - Last Modified 05/24/23 19:02 PM
Symptom
Details
- A change is made to a security policy and a commit is performed.
- If session rematch is enabled, then the firewall will go through all the existing sessions and apply the new security policy to any matching traffic.
Environment
NGFW
Resolution
From the WebGUI, go to Device > Setup > Session, the Rematch Sessions setting is found on this page:
Note: Rematch Sessions is enabled by default for PAN-OS 5.0 and above.
Example
The following example illustrates the behavior when Rematch Sessions is enabled.
Shown below is the original Security Policy:
The original session is shown below:
Shown below is the Security Policy:
The session after a policy change and commit:
Notice that as soon as the the commit took place, the session was rematched to the new policy and changed to the discard state from active.