High Availability (HA) Support for Decrypted Sessions
High Availability (HA) syncs are supported for inbound, decrypted SSL sessions, if the sessions were established using non-PFS key exchange algorithms.
High Availability (HA) syncs are supported for inbound, decrypted SSL sessions, if the sessions were established using non-PFS key exchange algoriothms. When a failover occurs, the passive device continues to inspect and enforce the decrypted traffic.
HA syncs are not supported for:
- decrypted SSL sessions (both inbound and outbound) that were established using PFS key exchange algorithms
- decrypted, outbound SSL sessions using non-PFS key exchange algorithms
In these cases, when a failover occurs, the passive device allows transferred sessions without decrypting them. New sessions will then continue to be decrypted based on your decryption policy.
The following table details HA support for decrypted sessions:
|PFS Protected Session||Non-PFS Protected Session|
Inbound SSL Session
(Inbound Inspection Decryption)
No HA Sync
Outbound SSL Sessions
(SSL Forward Proxy Decryption)
No HA Sync
No HA Sync
Learn about outbound and inbound SSL decryption, SSH Proxy decryption, Decryption Mirroring, and the keys and certificates that make decryption possible. ...
Perfect Forward Secrecy (PFS) for Inbound SSL Sessions
Perfect Forward Secrecy (PFS) for Inbound SSL Sessions PFS support is now extended to sessions decrypted using SSL Inbound Inspection (PFS support for SSL Forward ...
Perfect Forward Secrecy (PFS) Support for SSL Decryption
The firewall supports Perfect Forward Secrecy (PFS), which uses different keys for each session so that if a key is compromised, that key can’t be ...
Settings to Control Decrypted SSL Traffic
Settings to Control Decrypted SSL Traffic The following table describes the settings you can use to control SSL traffic that has been decrypted using either ...
Size the Firewall Decryption Deployment
Decryption consumes firewall CPU resources, so it’s important to evaluate the amount of SSL decryption your firewall deployment can support and decide what to do ...
SSL Forward Proxy
SSL Forward Proxy decryption decrypts outbound traffic so the firewall can protect against threats in the encrypted traffic by proxying the connection between the client ...
Create the Data Center Best Practice Decryption Profiles
Decryption Profiles define the SSL Protocol settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. ...
Create a Decryption Profile
Attach Decryption profiles to Decryption policy rules to control the protocol versions, algorithms, verification checks, and session checks the firewall accepts for the traffic defined ...
Deploy SSL Decryption Using Best Practices
Following SSL Decryption deployment best practices help to ensure a smooth, prioritized rollout and that you decrypt the traffic you need to decrypt to safeguard ...