This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_W
Advisor
‎2021-12-21 12:39 PM
Jump to solution

Session will not go away

Hi Mates,

hope someone knows how to get rid of this:

we have some load balancers in the DMZ pointing to an internal web server.

Now we want to implement SSL inbound inspection into this connection (log4j 😉 )

Rules for this are set -> ok but the connection will not get inspected because the session will not stop. We tried everything we know: Stop/reboot of the load balancers, stop/reboot of the web server. kicked connection via this skript https://community.checkpoint.com/t5/Security-Gateways/How-to-delete-an-specific-entry-from-the-Conne... also created a rule to drop the connection then removed the rule. But still it uses some "old" session as you can see the screen shot.

2021-12-21_21-35.png

 

plz hlp!

Cheers,
David

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion Champion
Champion
‎2021-12-21 01:31 PM
Jump to solution

A "session" exists only as a logging construct.  Individual connections (when bundled together by the gateway) comprise a session.  The techniques you mentioned are to kill a connection (or connections) and do work.  However when a new connection starts back up after the kill that is substantially similar to the previous ones being tracked by a current session, that connection is added back in to the existing session for logging purposes and that is what you are seeing.

If you'd rather not see these session logs, just uncheck "per Session" in the properties of the Track column for the matched rule, and make sure "per Connection" is checked there instead which will give you the more traditional per connection logs which will show that your connection-killing efforts are working as expected.

All I can say for the moment is that some clarity on this somewhat confusing issue is hopefully on the way, and may be delivered in a very public forum in the near future by someone well known here at CheckMates.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

2 Replies
Timothy_Hall
Champion Champion
Champion
‎2021-12-21 01:31 PM
Jump to solution

A "session" exists only as a logging construct.  Individual connections (when bundled together by the gateway) comprise a session.  The techniques you mentioned are to kill a connection (or connections) and do work.  However when a new connection starts back up after the kill that is substantially similar to the previous ones being tracked by a current session, that connection is added back in to the existing session for logging purposes and that is what you are seeing.

If you'd rather not see these session logs, just uncheck "per Session" in the properties of the Track column for the matched rule, and make sure "per Connection" is checked there instead which will give you the more traditional per connection logs which will show that your connection-killing efforts are working as expected.

All I can say for the moment is that some clarity on this somewhat confusing issue is hopefully on the way, and may be delivered in a very public forum in the near future by someone well known here at CheckMates.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
D_W
Advisor
‎2021-12-21 01:53 PM
In response to Timothy_Hall
Jump to solution

Very good to know thank you!!

Now I need to find out why the https inspection rule is not matching 😅 but this will not be handled in this forum thread.

Cheers,
David

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events