I have long-lived connections that were already allowed by policy rules, yet were denied when I installed policy (regardless of the change).
When you install policy with the VPM, the policy engine re-evaluates existing and previous allowed transactions to ensure policy integrity during the prosessing. This re-evaluation might deny exisiting connections if the associated condition is changed. However, even if you install policy on VPM without any changes, the similar issue might occur if the policy layers order is not optimal.
This problem only occurs only when:
Force action is used, such as force_deny or force_exception
User/group source condition comes earlier than authentication rule (see below examples)
Reordering the Policy Layer.
In this example, a Web Access Layer with user-group source condition is located before the Web Authentication Layer. With this layer order, the already-allowed transaction is denied when ProxySG re-evaluates the existing transactions.