Connection Persistence
Getting here - Gateway Properties > Other > Connection persistence
What can I do here?
In this window you can determine how the Check Point Security Gateway treats existing connections when a security policy is installed.
What background information do I need to know?
Check Point Security Gateway provides the best combination between security and connectivity, thereby maintaining maximum connectivity without compromising security.
In Check Point Security Gateway Stateful Inspection, a packet is matched against the security policy Rule Base only when a new connection is established.
If the Action for a matched connection is Accept, then an entry is created in the connections table so all future packets that belong to this connection are accepted without referring to the policy.
When a new policy is installed, existing connections are marked as "old". When a new packet that belongs to an "old" connection is encountered, it is matched against the policy. If the policy match result is Accept, the entry will revert back to a normal state and the connection will continue uninterrupted. If the result is Drop or Reject then the packet is dropped and the connection entry is deleted from the table.
Tell me about the fields...
- Keep all connections keeps all control and data connections open until the connections have ended. The newly installed policy will be enforced only for new connections.
- Keep Data Connections keeps all data connections open until the connections have ended. Control connections that are not allowed under the new policy will be terminated.
- Rematch Connections means that all connections not allowed under the new policy will be terminated, unless the service has Keep connections open after policy has been installed is enabled in the Service Properties window.
CCSM R77/R80/ELITE