Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 18526 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Time periods and established connections

jamesharper

What is the expected behavior for an existing connection when the firewall rule that created the connection becomes no longer in its allowed time period?

So my time period is 6am-9pm, and a 100Gbyte download is started at 8:55pm. Should that connection be terminated once 9pm happens, or does XG allow existing connections to continue uninterrupted?

This is what i'm seeing, but i'm concerned that the connection is being allowed by my default rule. Even though my default rule has all applications and web categories blocked, i'm still seeing a small number of connections succeed on the default rule for no obvious reason, eg "settings.data.microsoft.com/" is allowed, while "HK2SCH130021135.wns.windows.com/" is blocked, even though both have the same category and both should be blocked.

I'm also seeing allow's for the rule with the time period on it, even though it's now well and truly outside the time period, so maybe time periods don't work as expected?

Any confirmation on the expected behavior of the time periods and established connections would be appreciated.

Thanks

James



This thread was automatically locked due to age.
Parents
  • 0

    James,

    check the Web > Exceptions if there are some URL where Policy check is turned on.

    For the connection, if the time expires, no new connection will be allowed but open connections...I guess they will not be terminated.

     

  • 0 in reply to lferrara

    The behavior I'd expect is that the moment there is no allow for the connection (because the rule that allowed it is now outside its time period), XG would send RST packets in response to any further attempt at communication (or whatever REJECT behavior is appropriate for the type of connection).

    I'm not seeing this happen, i'm hoping someone can tell me with authority  that "yes, XG will allow established connections even if there is no longer a firewall rule that would allow them", or "no, the connection should be dropped". The former would be unexpected, and therefore bad, but at least i'd know. The latter would mean maybe i should check my rules again... i'm seeing unexpected behavior all over the place at the moment.

    James

Reply
  • 0 in reply to lferrara

    The behavior I'd expect is that the moment there is no allow for the connection (because the rule that allowed it is now outside its time period), XG would send RST packets in response to any further attempt at communication (or whatever REJECT behavior is appropriate for the type of connection).

    I'm not seeing this happen, i'm hoping someone can tell me with authority  that "yes, XG will allow established connections even if there is no longer a firewall rule that would allow them", or "no, the connection should be dropped". The former would be unexpected, and therefore bad, but at least i'd know. The latter would mean maybe i should check my rules again... i'm seeing unexpected behavior all over the place at the moment.

    James

Children
No Data