having to reestablish the connection, even if strict TCP enforcement is enabled. You can enable strict TCP
enforcement on inline sets, virtual routers, and virtual switches.
Unidirectional Access Control Rules
If you have configured unidirectional access control rules, network traffic may match a different access control
rule than intended when the system reevaluates a connection midstream after failover. For example, consider
if you have a policy containing the following two access control rules:
Rule 1: Allow from 192.168.1.0/24 to 192.168.2.0/24
Rule 2: Block all
Without state sharing, if an allowed connection from 192.168.1.1 to 192.168.2.1 is still active following a
failover and the next packet is seen as a response packet, the system denies the connection. With state sharing,
a midstream pickup would match the existing connection and continue to be allowed.
Blocking Persistence
While many connections are blocked on the first packet based on access control rules or other factors, there
are cases where the system allows some number of packets through before determining that the connection
should be blocked. With state sharing, the system immediately blocks the connection on the peer device or
stack as well.
When establishing state sharing for a high-availability pair, you can configure the following options:
Enabled
Click the check box to enable state sharing. Clear the check box to disable state sharing.
Minimum Flow Lifetime
Specify the minimum time (in milliseconds) for a session before the system sends any synchronization messages
for it. You can use any integer from 0 to 65535. The system does not synchronize any sessions that have not
met the minimum flow lifetime, and the system synchronizes only when a packet is received for the connection.
Minimum Sync. Interval
Specify the minimum time (in milliseconds) between update messages for a session. You can use any integer
from 0 to 65535. The minimum synchronization interval prevents synchronization messages for a given
connection from being sent more frequently than the configured value after the connection reaches the minimum
lifetime.
Maximum HTTP URL Length
Specify the maximum characters for the URL the system synchronizes between the paired devices. You may
use any integer from 0 to 225.
Related Topics
Configuring HA Link Interfaces
7000 and 8000 Series Device High Availability
12
7000 and 8000 Series Device High Availability
Device High Availability State Sharing