In an HA failover scenario what happens with sessions decrypted by a SSL Forward Proxy Decryption policy?
In an HA failover scenario what happens with sessions decrypted by a SSL Forward Proxy Decryption policy?
In an HA failover scenario involving SSL Forward Proxy Decryption, the passive device allows transferred sessions without decrypting them. New sessions that start after the failover will be decrypted based on the decryption policy. The firewall does not resume decryption for already established sessions, so the correct response would be that the transferred sessions are allowed but not decrypted.
Correct answer D https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability
HA syncs are not supported for: decrypted SSL sessions (both inbound and outbound) that were established using PFS key exchange algorithms decrypted, outbound SSL sessions using non-PFS key exchange algorithms >>> In these cases, when a failover occurs, the passive device allows transferred sessions without decrypting them. New sessions will then continue to be decrypted based on your decryption policy.
D is correct
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability#:~:text=when%20a%20failover%20occurs%2C%20the%20passive%20device%20allows%20transferred%20sessions%20without%20decrypting%20them.%20New%20sessions%20will%20then%20continue%20to%20be%20decrypted%20based%20on%20your%20decryption%20policy.
Correct answer A In an HA failover scenario, the active firewall takes over the traffic processing from the failed firewall. The SSL Forward Proxy Decryption policy is configured on the firewall to decrypt the SSL traffic and inspect it for threats. If the firewall fails over, the existing session is transferred to the active firewall, which continues to decrypt the SSL traffic and inspect it for threats. This ensures that there is no disruption in the traffic flow and the security of the network is maintained. Option B is incorrect because dropping the session would result in disruption of the traffic flow and could lead to security issues. Option C is incorrect because sending the session to fastpath would bypass the SSL Forward Proxy Decryption policy, which defeats the purpose of having the policy in place. Option D is incorrect because allowing the session without decrypting it would also defeat the purpose of having the SSL Forward Proxy Decryption policy in place.
Nah, correct is D: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability After a failover, firewalls do not support High Availability (HA) sync for decrypted SSL sessions. The firewall does not resume decrypted SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy sessions. The firewall decrypts new sessions that start after the failover based on Decryption policy.
D https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability
The following points to Answer D, though this is from PAN-OS 9.1 docs, "In these cases, when a failover occurs, the passive device allows transferred sessions without decrypting them. New sessions will then continue to be decrypted based on your decryption policy." Also it notes that Inbound SSL Session for Non-PFS Protected Session is part of an HA Sync, in PAN-OS 9.1 anyway.
The 11.0 doc says, " The firewall does not resume decrypted SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy sessions." So this supports Answer B. Mostly likely this question was dropped if the default action is different. Someone would have to dig through Release Notes to see if this is a Default Action change.
From the same link of evdw When a failover occurs, the passive device allows transferred sessions without decrypting them. New sessions will then continue to be decrypted based on your decryption policy.
I would go with B. I have checked both PANOS 9.1 and 10.1 documentation, there is no HA Sync support for outbound ssl decryption.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability After a failover, firewalls do not support High Availability (HA) sync for decrypted SSL sessions. The firewall does not resume decrypted SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy sessions. The firewall decrypts new sessions that start after the failover based on the Decryption policy. Then B is the correct answer!
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability#:~:text=decrypted%2C%20outbound%20SSL,your%20decryption%20policy.
Selected Answer: B High Availability (HA) syncs are supported for inbound, decrypted SSL sessions, if the sessions were established using non-PFS key exchange algorithms. When a failover occurs, the passive device continues to inspect and enforce the decrypted traffic. HA syncs are not supported for: decrypted SSL sessions (both inbound and outbound) that were established using PFS key exchange algorithms decrypted, outbound SSL sessions using non-PFS key exchange algorithms No HA Sync for SSL forward proxy for both PFS and NoN-PFS The Firewall drops the session
In these cases, when a failover occurs, the passive device allows transferred sessions without decrypting them. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability
I believe it is B: From the documentation: After a failover, firewalls do not support High Availability (HA) sync for decrypted SSL sessions. The firewall does not resume decrypted SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy sessions. The firewall decrypts new sessions that start after the failover based on Decryption policy. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability "A" cant be correct because synching is not supported "B" is correct because the session is lost after failover and any new traffic for that session is dropped. "C" cant be correct because there isnt a session "D" can't be correct because the session isnt synched, so the new active firewall doesnt know about it, which is why B is correct... it'll be dropped.
To add to my comment above, the doc says "new sessions that start after the failover are decrypted based on decryption policy (paraphrased)." This is why B is correct. The original session didnt survive.
D is correct, but if you don't have session synch enabled then B is also correct. Not a well written question. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OQCCA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail