Q: What do the choices under the firewall object's "Connection Persistence" dialog mean?

A:

The "connection persistence" settings define how the firewall treats established connections when installing a new policy.

• Keep all connections: Keeps all control and data connections open until the connection has ended. The newly installed Policy will be enforced on new connections only.
• Keep data connections: Keeps all data connections open until the connection has ended. Control connections that are not allowed under the new policy will be terminated.
• Rematch connections: This means that all connections not allowed under the new Policy will be terminated.

Additionally and separately, each service has its own checkbox titled "Keep connections open after policy install", normally not checked. If checked, this service's connections survive a policy install as if "keep all connections" were the global policy, regardless of what the global policy actually is. Therefore, this checkbox overrides the global policy setting.