Support Center > Search Results > SecureKnowledge Details
Alert log with "Rematch Info" field set to "Additional engines are required for new policy enforcement and cannot be activated on established old connection" Technical Level
Symptoms
  • Alert log with "Rematch Info" field set to "Additional engines are required for new policy enforcement and cannot be activated on established old connection"
  • Log with "Reason" field set to "Additional engines are required for new policy enforcement and cannot be activated on established old connection"
Cause

Connections that have been put into the Connections Table are examined against the newly installed policy according to 'Connection Persistence' configuration.

In Unified Policy the terminology of 'Connection Persistence' configuration has slightly changed, due to the fact that connections can reach final match decision not only on first packet but also on following data packets, when content inspection is involved.

As a result keeping existing connections open and enforcing newly installed policy only for new connection cannot be guaranteed, because old connections continue to pass rule base examination depending on their connection state.

Moreover Unified Policy has extended the variety of filter criteria, allowing new types of objects in the policy (e.g. URL Category or File Type),which require the activation of dedicated inspection engine (blade) on the connection (such as URLF, Content Awareness).

Thus the rematch, or the enforcement of the new policy can lead to a permanent no final match, as the activation of necessary engines for new policy is impossible on existing connections.


Solution
Note: To view this solution you need to Sign In .