Enabling
Rematch
Sessions () is a best practice that applies
committed newly configured or edited Security Policy rules to existing
sessions. However, if you
configure Tunnel Content Inspection on
a zone and
Rematch Sessions is enabled, you
must also disable
Reject Non-SYN TCP (change
the selection from
Global to
No),
or else when you enable or edit a Tunnel Content Inspection policy,
the firewall drops all existing tunnel sessions. Create a separate
Zone Protection profile to disable
Reject Non-SYN TCP only
on zones that have Tunnel Content Inspection policies and only when
you enable
Rematch Sessions.