After failover, the "firewall does not resume decrypted SSL Forward Proxy"
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability
After a failover, firewalls do not support High Availability (HA) sync for decrypted SSL sessions. The firewall does not resume decrypted SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy sessions. The firewall decrypts new sessions that start after the failover based on the Decryption policy.
Then B is the correct answer!
Selected Answer: B
High Availability (HA) syncs are supported for inbound, decrypted SSL sessions, if the sessions were established using non-PFS key exchange algorithms. When a failover occurs, the passive device continues to inspect and enforce the decrypted traffic.
HA syncs are not supported for:
decrypted SSL sessions (both inbound and outbound) that were established using PFS key exchange algorithms
decrypted, outbound SSL sessions using non-PFS key exchange algorithms
No HA Sync for SSL forward proxy for both PFS and NoN-PFS
The Firewall drops the session
In these cases, when a failover occurs, the passive device allows transferred sessions without decrypting them.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability
I believe it is B:
From the documentation:
After a failover, firewalls do not support High Availability (HA) sync for decrypted SSL sessions. The firewall does not resume decrypted SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy sessions. The firewall decrypts new sessions that start after the failover based on Decryption policy.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability
"A" cant be correct because synching is not supported
"B" is correct because the session is lost after failover and any new traffic for that session is dropped.
"C" cant be correct because there isnt a session
"D" can't be correct because the session isnt synched, so the new active firewall doesnt know about it, which is why B is correct... it'll be dropped.
To add to my comment above, the doc says "new sessions that start after the failover are decrypted based on decryption policy (paraphrased)." This is why B is correct. The original session didnt survive.
D is correct, but if you don't have session synch enabled then B is also correct. Not a well written question.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OQCCA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
Correct answer A
In an HA failover scenario, the active firewall takes over the traffic processing from the failed firewall. The SSL Forward Proxy Decryption policy is configured on the firewall to decrypt the SSL traffic and inspect it for threats. If the firewall fails over, the existing session is transferred to the active firewall, which continues to decrypt the SSL traffic and inspect it for threats. This ensures that there is no disruption in the traffic flow and the security of the network is maintained. Option B is incorrect because dropping the session would result in disruption of the traffic flow and could lead to security issues. Option C is incorrect because sending the session to fastpath would bypass the SSL Forward Proxy Decryption policy, which defeats the purpose of having the policy in place. Option D is incorrect because allowing the session without decrypting it would also defeat the purpose of having the SSL Forward Proxy Decryption policy in place.
Nah, correct is D:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/decryption-concepts/decryption-and-high-availability
After a failover, firewalls do not support High Availability (HA) sync for decrypted SSL sessions. The firewall does not resume decrypted SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy sessions. The firewall decrypts new sessions that start after the failover based on Decryption policy.
The following points to Answer D, though this is from PAN-OS 9.1 docs, "In these cases, when a failover occurs, the passive device allows transferred sessions without decrypting them. New sessions will then continue to be decrypted based on your decryption policy."
Also it notes that Inbound SSL Session for Non-PFS Protected Session is part of an HA Sync, in PAN-OS 9.1 anyway.
The 11.0 doc says, " The firewall does not resume decrypted SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy sessions." So this supports Answer B.
Mostly likely this question was dropped if the default action is different.
Someone would have to dig through Release Notes to see if this is a Default Action change.
HA syncs are not supported for:
decrypted SSL sessions (both inbound and outbound) that were established using PFS key exchange algorithms
decrypted, outbound SSL sessions using non-PFS key exchange algorithms
>>> In these cases, when a failover occurs, the passive device allows transferred sessions without decrypting them. New sessions will then continue to be decrypted based on your decryption policy.
From the same link of evdw
When a failover occurs, the passive device allows transferred sessions without decrypting them. New sessions will then continue to be decrypted based on your decryption policy.
upvoted 2 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
evdw
Highly Voted 1 year, 6 months agoHappyDay030303
Most Recent 3 weeks agoMarshpillowz
5 months, 2 weeks agoJRKhan
6 months agoMocix
6 months, 3 weeks agodorf05
7 months, 3 weeks agodorf05
8 months, 3 weeks agoDaychill
9 months, 1 week agoExamdumps2023
9 months, 3 weeks agosov4
11 months, 3 weeks agosov4
11 months, 3 weeks agolildevil
1 year, 1 month agonguyendtv50
1 year, 1 month agorampa70
1 year, 1 month agotahira
1 year, 6 months agoPaloSteve
11 months, 3 weeks agoPaloSteve
11 months, 3 weeks agodjedeen
1 year, 6 months agoaatechler
1 year, 6 months ago