https://community.checkpoint.com/t5/Firewall-and-Security-Management/Session-will-not-go-away/m-p/136937#M20719 <P>A "session" exists only as a logging construct.&nbsp; Individual connections (when bundled together by the gateway) comprise a session.&nbsp; The techniques you mentioned are to kill a connection (or connections) and do work.&nbsp; However when a new connection starts back up after the kill that is substantially similar to the previous ones being tracked by a current session, that connection is added back in to the existing session for logging purposes and that is what you are seeing.</P> <P>If you'd rather not see these session logs, just uncheck "per Session" in the properties of the Track column for the matched rule, and make sure "per Connection" is checked there instead which will give you the more traditional per connection logs which will show that your connection-killing efforts are working as expected.</P> <P>All I can say for the moment is that some clarity on this somewhat confusing issue is hopefully on the way, and may be delivered in a very public forum in the near future by someone well known here at CheckMates.</P> Wed, 22 Dec 2021 03:38:34 GMT Timothy_Hall 2021-12-22T03:38:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Session-will-not-go-away/m-p/136934#M20718 <P>Hi Mates,</P><P>hope someone knows how to get rid of this:</P><P>we have some load balancers in the DMZ pointing to an internal web server.</P><P>Now we want to implement SSL inbound inspection into this connection (log4j <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P><P>Rules for this are set -&gt; ok but the connection will not get inspected because the session will not stop. We tried everything we know: Stop/reboot of the load balancers, stop/reboot of the web server. kicked connection via this skript <A href="https://community.checkpoint.com/t5/Security-Gateways/How-to-delete-an-specific-entry-from-the-Connections-Table-with/m-p/99220/highlight/true" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/How-to-delete-an-specific-entry-from-the-Connections-Table-with/m-p/99220/highlight/true</A> also created a rule to drop the connection then removed the rule. But still it uses some "old" session as you can see the screen shot.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-12-21_21-35.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/14660iBCD565FD304F674E/image-size/medium?v=v2&amp;px=400" role="button" title="2021-12-21_21-35.png" alt="2021-12-21_21-35.png" /></span></P><P>&nbsp;</P><P>plz hlp!</P><P>Cheers,<BR />David</P> Tue, 21 Dec 2021 20:39:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Session-will-not-go-away/m-p/136934#M20718 D_W 2021-12-21T20:39:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Session-will-not-go-away/m-p/136937#M20719 <P>A "session" exists only as a logging construct.&nbsp; Individual connections (when bundled together by the gateway) comprise a session.&nbsp; The techniques you mentioned are to kill a connection (or connections) and do work.&nbsp; However when a new connection starts back up after the kill that is substantially similar to the previous ones being tracked by a current session, that connection is added back in to the existing session for logging purposes and that is what you are seeing.</P> <P>If you'd rather not see these session logs, just uncheck "per Session" in the properties of the Track column for the matched rule, and make sure "per Connection" is checked there instead which will give you the more traditional per connection logs which will show that your connection-killing efforts are working as expected.</P> <P>All I can say for the moment is that some clarity on this somewhat confusing issue is hopefully on the way, and may be delivered in a very public forum in the near future by someone well known here at CheckMates.</P> Wed, 22 Dec 2021 03:38:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Session-will-not-go-away/m-p/136937#M20719 Timothy_Hall 2021-12-22T03:38:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Session-will-not-go-away/m-p/136939#M20720 <P>Very good to know thank you!!</P><P>Now I need to find out why the https inspection rule is not matching <span class="lia-unicode-emoji" title=":grinning_face_with_sweat:">😅</span> but this will not be handled in this forum thread.</P><P>Cheers,<BR />David</P> Tue, 21 Dec 2021 21:53:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Session-will-not-go-away/m-p/136939#M20720 D_W 2021-12-21T21:53:56Z