High Availability Support for Decrypted Sessions
Focus
Focus

High Availability Support for Decrypted Sessions

Table of Contents
End-of-Life (EoL)

High Availability Support for Decrypted Sessions

High Availability (HA) sync is supported for inbound, decrypted SSL sessions, if the sessions were established using non-PFS key exchange algorithms.
The firewall supports High Availability (HA) sync only for inbound, decrypted SSL sessions, and only if the sessions were established using non-PFS key exchange algorithms. The firewall does not support HA sync for any other decrypted traffic. The firewall decrypts new sessions that start after the failover based on Decryption policy.
The following table shows HA sync support for decrypted sessions after a failover:
Session TypePFS Key ExchangeNon-PFS Key Exchange
Inbound SSL Session (Inbound Inspection Decryption)
No HA Sync, firewall drops the session
HA Sync occurs, firewall allows the session but does not decrypt the session
Outbound SSL Sessions (SSL Forward Proxy Decryption)
No HA Sync, firewall drops the session
No HA Sync, firewall drops the session