High Availability (HA) Support for Decrypted Sessions

High Availability (HA) syncs are supported for inbound, decrypted SSL sessions, if the sessions were established using non-PFS key exchange algorithms.
High Availability (HA) syncs are supported for inbound, decrypted SSL sessions, if the sessions were established using non-PFS key exchange algoriothms. When a failover occurs, the passive device continues to inspect and enforce the decrypted traffic.
HA syncs are not supported for:
  • decrypted SSL sessions (both inbound and outbound) that were established using PFS key exchange algorithms
  • decrypted, outbound SSL sessions using non-PFS key exchange algorithms
In these cases, when a failover occurs, the passive device allows transferred sessions without decrypting them. New sessions will then continue to be decrypted based on your decryption policy.
The following table details HA support for decrypted sessions:
PFS Protected SessionNon-PFS Protected Session
Inbound SSL Session
(Inbound Inspection Decryption)
No HA Sync
green-check-mark.png
HA Sync
Outbound SSL Sessions
(SSL Forward Proxy Decryption)
No HA Sync
No HA Sync

Related Documentation