High Availability Support for Decrypted Sessions

High Availability (HA) sync is supported for inbound, decrypted SSL sessions, if the sessions were established using non-PFS key exchange algorithms.
The firewall supports High Availability (HA) sync only for inbound, decrypted SSL sessions, and only if the sessions were established using non-PFS key exchange algorithms. The firewall does not support HA sync for any other decrypted traffic. The firewall decrypts new sessions that start after the failover based on Decryption policy.
The following table shows HA sync support for decrypted sessions after a failover:
Session Type
PFS Key Exchange
Non-PFS Key Exchange
Inbound SSL Session (Inbound Inspection Decryption)
No HA Sync, firewall drops the session
HA Sync occurs, firewall allows the session but does not decrypt the session
Outbound SSL Sessions (SSL Forward Proxy Decryption)
No HA Sync, firewall drops the session
No HA Sync, firewall drops the session

Recommended For You