Discard Session Rematch

Discard Session Rematch

35362
Created On 09/26/18 13:49 PM - Last Modified 02/08/21 22:02 PM


Symptom


  • A session is in the DISCARD state
  • A New policy is then added to allow that particular traffic.
  • Even with "Rematch Session" enabled, that session does not change state from DISCARD to ACTIVE.

GUI: Device > Setup > Session:

Session Settings



 

 

Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • Rematch Sessions.

Cause


The session will still stay in the DISCARD state, as the current logic will only rematch ALLOW sessions. PAN-OS will not process and change the DISCARD state of the existing session. Any future sessions will be allowed and will not be discarded.

Resolution


If the packets are still hitting the existing DISCARD session, clear that session to allow the new one with the following command:

> clear session <session id>

Note: The session id is got from using the command "show session all" and matching the source destination addresses. port numbers and protocol. One can verify by following "show session id <id #>"

 

 

Additional Information


How Session Rematch Works
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrKCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language