For decrypted TLS traffic, on the
first session
for an
application, Network Packet Broker doesn’t know that the session
is being decrypted and sees “ssl” as the application. The underlying
specific application is not yet known or installed in the App-ID
cache, so the broker lookup fails and the traffic bypasses the security
chain. The traffic is still subject to any threat inspection configured
on the Security policy allow rule. When the firewall decrypts the
traffic, the firewall learns the specific application and installs
it in the App-ID cache. For the second and subsequent decrypted
sessions for the same application, Network Packet Broker lookups
succeed because the specific application is now in the App-ID cache,
and the firewall forwards traffic to the security chain as expected.