Feature #14265
Updated by Jim Pingle over 1 year ago
Currently once the user logs in, their session is valid even if the client source address changes. This allows the user to roam if they happen to change WANs (e.g. client behind multi-WAN load balancing, CGN, cell network, etc) or if they access by hostname and have to downgrade from IPv6 to IPv4. However, this behavior is less secure than invalidating the session if the client address changes, forcing the user to log back in if the address changes. This is largely moot for most users however as they should be accessing the firewall over a VPN or local management network and the address is less likely to change in those cases, making it safer to activate.
Having the option to enable this strict behavior would be good from a security standpoint, though I am hesitant to activate it by default given the potential for disruption.