When traffic matches a firewall rule with IDPS enabled, the state synchronization behavior with the HA peer is as follows:

In the Active Unit:

• If the IDPS decision is still being processed, the state is synchronized to "INFLIGHT" on the standby unit.
• Once the IDPS decision is made (either ALLOW or BLOCK), this decision is synced to the standby unit.

Failover Behavior: After a switchover or failover, the system handles the IDPS decision as follows:

• ALLOW: Traffic is permitted.
• BLOCK: Traffic is denied.
• INFLIGHT: If the first packet in the new Active unit detects the IDPS state as "INFLIGHT", the flow will be reset.

The system processes up to 1MB of data. Once this threshold is met, the IDPS action is updated to ALLOW and synced to the standby unit.

During a failover, the IDPS action synchronized to the standby unit is respected. If the standby unit initially has the IDPS action set to "INFLIGHT", this action is enforced, leading to traffic being dropped, and an ICMP unreachable message is sent. This causes the client to initiate a new flow. If the client continues to use the same source/destination port combinations that match the previous flow, no new flow will be created until the existing flows are manually cleared.

If you encounter issues with specific traffic matching a rule with IDPS during failovers, we recommend the following workaround:

• Try matching the traffic using a legacy firewall rule instead of an EFS-based rule