Focus

High Availability Support for Decrypted Sessions

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

TLSv1.3 Decryption

Decryption Mirroring

High Availability Support for Decrypted Sessions

High Availability (HA) sync is supported for inbound, decrypted SSL sessions, if the sessions were established using non-PFS key exchange algorithms.

The firewall supports High Availability (HA) sync only for inbound, decrypted SSL sessions, and only if the sessions were established using non-PFS key exchange algorithms. The firewall does not support HA sync for any other decrypted traffic. The firewall decrypts new sessions that start after the failover based on Decryption policy.

The following table shows HA sync support for decrypted sessions after a failover:

Session Type	PFS Key Exchange	Non-PFS Key Exchange
Inbound SSL Session (Inbound Inspection Decryption)	No HA Sync, firewall drops the session	HA Sync occurs, firewall allows the session but does not decrypt the session
Outbound SSL Sessions (SSL Forward Proxy Decryption)	No HA Sync, firewall drops the session	No HA Sync, firewall drops the session

TLSv1.3 Decryption

Decryption Mirroring

Next-Generation Firewall Docs

High Availability Support for Decrypted Sessions

Next-Generation Firewall Docs

High Availability Support for Decrypted Sessions

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner