What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?

What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?
A . Phase 1 and Phase 2 SAs are synchronized over HA3 links.
B. Phase 1 SAs are synchronized over HA1 links.
C. Phase 2 SAs are synchronized over HA2 links.
D. Phase 1 and Phase 2 SAs are synchronized over HA2 links.

Answer: C

Explanation:

From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls… This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls."

And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the passive firewall."

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCA W&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks .com%2FKCSArticleDetail

https://help.aryaka.com/display/public/KNOW/Palo+Alto+Networks+NFV+Technical+Brief

Latest PCNSE Dumps Valid Version with 280 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments