Exam4Training

What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?

What happens when an A/P firewall cluster synchronies IPsec tunnel security associations (SAs)?
A . Phase 2 SAs are synchronized over HA2 links
B . Phase 1 and Phase 2 SAs are synchronized over HA2 links
C . Phase 1 SAs are synchronized over HA1 links
D . Phase 1 and Phase 2 SAs are synchronized over HA3 links

Answer: B

Explanation:

From the Palo Alto documentation below, "when a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls… This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls."

And from the second link, "Data link (HA2) is used to sync sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in the HA pair. Data flow on the HA2 link is always unidirectional (except for the HA2 keep-alive). It flows from the

active firewall to the passive firewall."

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks .com%2FKCSArticleDetail

Latest PCNSE Dumps Valid Version with 280 Q&As

Latest And Valid Q&A | Instant Download | Once Fail, Full Refund

Exit mobile version