Which two statements are correct about security policy changes when using the policy rematch feature? (Choose two.)
Which two statements are correct about security policy changes when using the policy rematch feature? (Choose two.)
The correct answer is B & C. Here's why: B. When a policy change includes changing the policy's source or destination address match condition, all existing sessions are dropped. Correct – Changing the source or destination address affects how traffic is matched, so all existing sessions are dropped because they may no longer match the modified policy. C. When a policy change includes changing the policy's action from permit to deny, all existing sessions are dropped. Correct – If a policy action is changed from permit to deny, the existing sessions are immediately dropped because they are no longer allowed under the new rule. Why D is incorrect: D states that sessions are "reevaluated" when source or destination addresses are changed. However, in most firewalls with a policy rematch feature, such changes result in sessions being dropped, not just reevaluated. The system does not keep the session and just check it again—it removes it because the session may no longer be valid.
In my experience C and D are correct. You need to re-evauate the existing sessions in case you adjust policies and to drop sessions when you change the action from Allow to Drop. please comment.