Me and my colleague have a theoretical dispute over the following question: "Does policy push resets all current connections?"
My opinion is that all the active connections not denied by a new policy stays active. This is because no state information are deleted from the firewall enforcement point.
My college state that any policy push delete all the state information. All the connections need to be rematched. This leads to a massive reset of all TCP/UDP sessions. This will be unnoticed in HTTP and other short connections. But will reset all long sessions like eBank SSL, FTP and other.
That mean that any policy installs (Smardeface updates, or policy modifications) during work hours will lead to a disruptions in some critical operations (such as eBanking)
My colleague even ask Compendun (official checkpoint training center) teacher for assistance.
Quote:
Hi
If you do not configure anything special connections do not survive policy installation as the connection table is flushed. However you can try to edit a particular service and change the checkbox "keep connections after security policy is installed"
than the connection
table for this particular service will be transferred to a new connection table. Sometimes it even works ;-) |
I'm waiting for guru opinions.