When a security policy is deleted, which statement is correct about the default behavior for active sessions allowed by that policy?
When a security policy is deleted, which statement is correct about the default behavior for active sessions allowed by that policy?
When a security policy is deleted, the default behavior is that the active sessions allowed by that policy will be dropped. Since the policy that permitted the session no longer exists, the session is terminated to maintain the integrity and security of the network.
sorry bit confused now- if you deactivate/rename/DELETE a policy that has an existing session the default behaviour is to drop, even if you have the policy re-match enabled it still drops the active session if you change the src/dest/app default behaviour is "continue to open session" with policy re-match it re-evaluates if you change action from permit to deny - default behaviour is "continue to open session" with policy re-match it drops the active session
The details of the session flow are placed in a session table which is a real time list of current sessions on the srx. Only connections that are active or havent timed out show up in the session table. which means if the policy is deleted the active sessions are still in the session table and eventually will time out
When a security policy is deleted in a Juniper SRX device, the default behavior for active sessions that were allowed by that policy is that they continue to flow as long as the session remains active. New flows will not be created under the deleted policy, but existing flows stay active until they age out. The "policy-rematch" feature can be configured to cause all active sessions to be re-evaluated against the security policies upon a commit, and sessions will be torn down if they are no longer permitted
A is the right answer
B is correct - To solve this you have to enable "policy-rematch" under security policies... otherwise existing sessions are kept open until they time out. Enabling policy-rematch existing sessions will be reevaluated with the newly updated ruleset.
B is correct as flows will timeout eventually but are not immediately dropped. Need re-match enabled for that.
sorry my mistake. A is correct If the rule is deleted all sessions are dropped.
D is Correct Traffic matching an established session will continue to flow as long as that session remains active. You need to configure "set security policies policy-rematch" if you want to delete the active sessions. see : https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/security-edit-policy-rematch.html
The link you provided does not support your claim, If anything it supports answer A
A correct
A is correct. Deleted policy always immideately drops current sessions. Does not matter if policy rematch is enabled or not.
A is correct