Time based rules and resetting connections that ar...

Andrew_Tindall · ‎2021-03-18

We have a requirement to allow outbound SSH access, but only at certain times of the day as part of a new solution to be implemented.

From my understanding we can create a time based rule to allow this, and during this time frame new SSH connections would be allowed as per the rule.And not outside of the allowed timeframe.

However the connection would not torn down that had already been established that matched this rule during the time it was active once the rule was past it's time to allow the traffic?

Is there a simple way to achive this?

Thanks,

Andy.

PhoneBoy · ‎2021-03-18

We only check the time component when the connection is established.
Its not something we check on an ongoing basis.

An “easy” way to do this would be an RFE.
That said, with a little scripting, you could probably achieve what you’re after.
Ultimately, you can kill in-progress connections with fw sam, sam erdos, or similar using a cron job.
I believe you can just kill all ssh connections to the Internet with a single command, the exact nature of which depends on where the gateway sits in the network (it has to be done by IP).

Timothy_Hall · ‎2021-03-18

Assuming you have Connection Persistence set to "Rematch all connections", I suppose you could execute a fw fetchlocal on the gateway via cron right at the start of the timeframe where SSH is no longer allowed. This will invoke a rematch operation, which I believe will close the expired SSH connections. There does not seem to be a way to kick off only a rematch operation without doing a full policy reinstall that I can find. For more info about the rematch operation see Scenario 1 here: sk103598: Connectivity Issues after Policy Install

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Are you a member of CheckMates?

Time based rules and resetting connections that are active once the time based rule ends