The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. What it does not do however, is police that time. That is, the policy is active for a given time frame, and as long as the session is open, traffic can continue to flow.
For example, in an office environment, Skype use is allowed between noon and 1pm. During that hour, any Skype traffic continues. As long as that session is open, after the 1pm end time, the Skype conversations can continue, yet new sessions will be blocked. Ideally, the Skype session should close at 1pm.
Using a CLI command you can set the schedule to terminate all sessions when the end time of the schedule is reached. Within the config firewall command enter the command:
set schedule-timeout enable
By default, this option is set to disable.
A few further settings are needed to make this work.
config firewall policy
set firewall-session-dirty check-new
config system settings
set firewall-session-dirty check-policy-option
The firewall-session-dirty setting has three options
||CPU flushes all current sessions and re-evaluates them. [default]|
||CPU keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss.|
||Use the option selected in the firewall-session-dirty field of the firewall policy (check-all or check-new, as above, but per policy).|