Connections that have been put into the Connections Table are examined against the newly installed policy according to 'Connection Persistence' configuration.
In Unified Policy the terminology of 'Connection Persistence' configuration has slightly changed, due to the fact that connections can reach final match decision not only on first packet but also on following data packets, when content inspection is involved.
As a result keeping existing connections open and enforcing newly installed policy only for new connection cannot be guaranteed, because old connections continue to pass rule base examination depending on their connection state.
Moreover Unified Policy has extended the variety of filter criteria, allowing new types of objects in the policy (e.g. URL Category or File Type),which require the activation of dedicated inspection engine (blade) on the connection (such as URLF, Content Awareness).
Thus the rematch, or the enforcement of the new policy can lead to a permanent no final match, as the activation of necessary engines for new policy is impossible on existing connections.