Enabling
Rematch Sessions () is a best
practice that applies committed newly configured or edited Security
Policy rules to existing sessions. However, if you
configure Tunnel Content Inspection on
a zone and
Rematch Sessions is enabled, you
must also disable
Reject Non-SYN TCP (change
the selection from
Global to
No),
or else when you enable or edit a Tunnel Content Inspection policy,
the firewall drops all existing tunnel sessions. Create a separate
Zone Protection profile to disable
Reject Non-SYN TCP only on
zones that have Tunnel Content Inspection policies and only when
you enable
Rematch Sessions.