This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CP-NDA
Collaborator
‎2018-06-20 02:49 AM

Time based rule - rematch connection

Dear,

We would like to implement a Time Based restricted rule

The time limitation is correclty applied for all new connections but for existing traffic there is no rematch of the active connections once rule expires

Is there a way to force this?

We would like to apply Bandwidth limitation starting at a defined day and hour and release this limitation after a certain time...

For now if the connection start before the time restriction the limitation is not applied

Thank you

Nicolas

6 Replies
Huseyin_Rencber
Collaborator
‎2018-06-20 03:37 AM

Hi Nicolas,

Could you check that "Rematch connections" is chosen under SmartDashboard -> gateway object -> Other -> Connection Persistence ? sxl may help without rematch conn config;  for the configuration to apply for connections from existing templates, you should run "fwaccel off; fwaccel on".

CP-NDA
Collaborator
‎2018-06-20 03:54 AM
In response to Huseyin_Rencber

Hi,

Thank you for this update we are in Keep Connection to avoid drops when pushing policies in VPN

Is this settings responsible for the non-rematch of the rules?

When you ask to set fwaccl off then on do we need to run this manually once the rule has expired?

Thank you

Best regards

Nicolas

0 Kudos
Huseyin_Rencber
Collaborator
‎2018-06-20 04:25 AM
In response to CP-NDA

You setting (keep connection) will keep connections open until the connections ended. The newly installed policy will be enforced only for the new connection. The second option sxl may help. not sure about that, you can try it

0 Kudos
CP-NDA
Collaborator
‎2018-06-20 04:28 AM
In response to Huseyin_Rencber

Hi,

Thank you for your reply

However I'm not trying to have policy applied after a Policy Installation but after a Rule with a Time ressource defined on it. When this rule expire I would like to rematch the existing connection (no policy installation)

Regards

Nicolas

0 Kudos
Danny
MVP Platinum
MVP Platinum
‎2018-06-20 04:31 AM

As Check Point's rulebase is matched only against new connections the only way I see to force this via a simple Bash script that is resetting the existing connection at your specific times.

CP-NDA
Collaborator
‎2018-06-20 04:36 AM
In response to Danny

Hi

Thank you

I though there would be a native and better way to handle this

As per my debug the way of limiting the bandwidth is quite strange (dropping packets)...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events