Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_W
Advisor
Jump to solution

Session will not go away

Hi Mates,

hope someone knows how to get rid of this:

we have some load balancers in the DMZ pointing to an internal web server.

Now we want to implement SSL inbound inspection into this connection (log4j 😉 )

Rules for this are set -> ok but the connection will not get inspected because the session will not stop. We tried everything we know: Stop/reboot of the load balancers, stop/reboot of the web server. kicked connection via this skript https://community.checkpoint.com/t5/Security-Gateways/How-to-delete-an-specific-entry-from-the-Conne... also created a rule to drop the connection then removed the rule. But still it uses some "old" session as you can see the screen shot.

2021-12-21_21-35.png

 

plz hlp!

Cheers,
David

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend

A "session" exists only as a logging construct.  Individual connections (when bundled together by the gateway) comprise a session.  The techniques you mentioned are to kill a connection (or connections) and do work.  However when a new connection starts back up after the kill that is substantially similar to the previous ones being tracked by a current session, that connection is added back in to the existing session for logging purposes and that is what you are seeing.

If you'd rather not see these session logs, just uncheck "per Session" in the properties of the Track column for the matched rule, and make sure "per Connection" is checked there instead which will give you the more traditional per connection logs which will show that your connection-killing efforts are working as expected.

All I can say for the moment is that some clarity on this somewhat confusing issue is hopefully on the way, and may be delivered in a very public forum in the near future by someone well known here at CheckMates.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

2 Replies
Timothy_Hall
Legend Legend
Legend

A "session" exists only as a logging construct.  Individual connections (when bundled together by the gateway) comprise a session.  The techniques you mentioned are to kill a connection (or connections) and do work.  However when a new connection starts back up after the kill that is substantially similar to the previous ones being tracked by a current session, that connection is added back in to the existing session for logging purposes and that is what you are seeing.

If you'd rather not see these session logs, just uncheck "per Session" in the properties of the Track column for the matched rule, and make sure "per Connection" is checked there instead which will give you the more traditional per connection logs which will show that your connection-killing efforts are working as expected.

All I can say for the moment is that some clarity on this somewhat confusing issue is hopefully on the way, and may be delivered in a very public forum in the near future by someone well known here at CheckMates.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
D_W
Advisor

Very good to know thank you!!

Now I need to find out why the https inspection rule is not matching 😅 but this will not be handled in this forum thread.

Cheers,
David

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events