Enabling
Rematch
Sessions
() is a best practice that applies
committed newly configured or edited Security Policy rules to existing
sessions. However, if you
configure Tunnel Content Inspection on
a zone and
Rematch Sessions
is enabled, you
must also disable
Reject Non-SYN TCP
(change
the selection from
Global
to
No
),
or else when you enable or edit a Tunnel Content Inspection policy,
the firewall drops all existing tunnel sessions. Create a separate
Zone Protection profile to disable
Reject Non-SYN TCP
only
on zones that have Tunnel Content Inspection policies and only when
you enable
Rematch Sessions
.