- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Time based rule - rematch connection
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Time based rule - rematch connection
Dear,
We would like to implement a Time Based restricted rule
The time limitation is correclty applied for all new connections but for existing traffic there is no rematch of the active connections once rule expires
Is there a way to force this?
We would like to apply Bandwidth limitation starting at a defined day and hour and release this limitation after a certain time...
For now if the connection start before the time restriction the limitation is not applied
Thank you
Nicolas
- Tags:
- time
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nicolas,
Could you check that "Rematch connections" is chosen under SmartDashboard -> gateway object -> Other -> Connection Persistence ? sxl may help without rematch conn config; for the configuration to apply for connections from existing templates, you should run "fwaccel off; fwaccel on".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for this update we are in Keep Connection to avoid drops when pushing policies in VPN
Is this settings responsible for the non-rematch of the rules?
When you ask to set fwaccl off then on do we need to run this manually once the rule has expired?
Thank you
Best regards
Nicolas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You setting (keep connection) will keep connections open until the connections ended. The newly installed policy will be enforced only for the new connection. The second option sxl may help. not sure about that, you can try it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for your reply
However I'm not trying to have policy applied after a Policy Installation but after a Rule with a Time ressource defined on it. When this rule expire I would like to rematch the existing connection (no policy installation)
Regards
Nicolas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Check Point's rulebase is matched only against new connections the only way I see to force this via a simple Bash script that is resetting the existing connection at your specific times.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Thank you
I though there would be a native and better way to handle this
As per my debug the way of limiting the bandwidth is quite strange (dropping packets)...