What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?
What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?
A . Phase 2 SAs are synchronized over HA2 finks
B . Phase 1 and Phase 2 SAs are synchronized over HA2 links
C . Phase 1 SAs are synchronized over HA1 links
D . Phase 1 and Phase 2 SAs are synchronized over HA3 links
Answer: A
Explanation:
From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls… This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls."
And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive). It flows from the active firewall to the passive firewall."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCA W&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks .com%2FKCSArticleDetail
https://help.aryaka.com/display/public/KNOW/Palo+Alto+Networks+NFV+Technical+Brief
Latest PCNSE Dumps Valid Version with 280 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund