Enabling
Rematch Sessions
() is a best
practice that applies committed newly configured or edited Security
Policy rules to existing sessions. However, if you
configure Tunnel Content Inspection on
a zone and
Rematch Sessions
is enabled, you
must also disable
Reject Non-SYN TCP
(change
the selection from
Global
to
No
),
or else when you enable or edit a Tunnel Content Inspection policy,
the firewall drops all existing tunnel sessions. Create a separate
Zone Protection profile to disable
Reject Non-SYN TCP
only on
zones that have Tunnel Content Inspection policies and only when
you enable
Rematch Sessions
.