cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Time based rule - rematch connection

Dear,

We would like to implement a Time Based restricted rule

The time limitation is correclty applied for all new connections but for existing traffic there is no rematch of the active connections once rule expires

Is there a way to force this?

We would like to apply Bandwidth limitation starting at a defined day and hour and release this limitation after a certain time...

For now if the connection start before the time restriction the limitation is not applied

Thank you

Nicolas

Tags (1)
6 Replies

Re: Time based rule - rematch connection

Hi Nicolas,

Could you check that "Rematch connections" is chosen under SmartDashboard -> gateway object -> Other -> Connection Persistence ? sxl may help without rematch conn config;  for the configuration to apply for connections from existing templates, you should run "fwaccel off; fwaccel on".

Re: Time based rule - rematch connection

Hi,

Thank you for this update we are in Keep Connection to avoid drops when pushing policies in VPN

Is this settings responsible for the non-rematch of the rules?

When you ask to set fwaccl off then on do we need to run this manually once the rule has expired?

Thank you

Best regards

Nicolas

0 Kudos

Re: Time based rule - rematch connection

You setting (keep connection) will keep connections open until the connections ended. The newly installed policy will be enforced only for the new connection. The second option sxl may help. not sure about that, you can try it

0 Kudos

Re: Time based rule - rematch connection

Hi,

Thank you for your reply

However I'm not trying to have policy applied after a Policy Installation but after a Rule with a Time ressource defined on it. When this rule expire I would like to rematch the existing connection (no policy installation)

Regards

Nicolas

0 Kudos
Danny
Pearl

Re: Time based rule - rematch connection

As Check Point's rulebase is matched only against new connections the only way I see to force this via a simple Bash script that is resetting the existing connection at your specific times.

Re: Time based rule - rematch connection

Hi

Thank you

I though there would be a native and better way to handle this

As per my debug the way of limiting the bandwidth is quite strange (dropping packets)...