High Availability Support for Decrypted Sessions
Table of Contents
High Availability Support for Decrypted Sessions
High Availability (HA) syncs are supported for inbound, decrypted
SSL sessions, if the sessions were established using non-PFS key exchange
algorithms.
High Availability (HA) syncs are supported for inbound, decrypted
SSL sessions, if the sessions were established using non-PFS key exchange
algorithms. When a failover occurs, the passive device continues
to inspect and enforce the decrypted traffic.
HA syncs are not supported for:
- decrypted SSL sessions (both inbound and outbound) that were established using PFS key exchange algorithms
- decrypted, outbound SSL sessions using non-PFS key exchange algorithms
In these cases, when a failover occurs, the passive device allows
transferred sessions without decrypting them. New sessions will
then continue to be decrypted based on your decryption policy.
The following table details HA support for decrypted sessions:
| PFS Protected Session | Non-PFS Protected Session | |
|---|---|---|
Inbound SSL Session (Inbound Inspection Decryption) | — No HA Sync | 
HA
Sync |
Outbound SSL Sessions (SSL Forward
Proxy Decryption) | — No HA Sync | — No HA Sync |