Follow these guidelines to set up Layer 3 security chain
devices to support decryption broker:
Configure security chain devices with Layer 3 interfaces
to connect to the security chain network. These Layer 3 interfaces
must have an assigned IP address and subnet mask.
Do not include devices that modify IP or TCP headers in a
security chain, or be sure to disable any features that perform
these functions. If the security chain returns a session to the
firewall with a modified IP or TCP header, the firewall drops the
session as it can no longer match it to the original pre-decrypted session.
Set the default gateways for security chain devices:
For
all security chain devices except the last device in the chain,
configure the default gateway to be the IP address of the next inline device.
For the last security chain device, configure the default
gateway to be the firewall’s Secondary Interface IP address. This
ensures that the last device returns the traffic flow to the firewall.
(When you configure a decryption forwarding profile, you’ll assign
one of the decryption forwarding interfaces to be the decryption
broker Secondary Interface. See Objects > Decryption > Forwarding
Profile > Secondary Interface, and use this interface’s IP address).
If you configured the firewall to direct sessions through
the security chain bidirectionally, you must also set the default
gateway of the first security chain device to be the firewall’s
Primary Interface IP address (When you configure a decryption forwarding
profile, you’ll assign one of the decryption forwarding interfaces
to be the decryption broker Primary Interface. See Objects > Decryption
> Forwarding Profile > Primary Interface, and use this interface’s
IP address).
Confirm that the firewall and security chain can effectively
communicate: check that the router that directs traffic between
the firewall and the security chain is configured correctly, and
that security chain devices are configured with static routes to
appropriately direct traffic.
Security chain devices should not originate traffic to a
network outside of the security chain. The firewall blocks traffic
that it cannot match to the original pre-decrypted session. However,
if a security chain device requires Internet access to receive updates,
make sure that the device can access a separate network (for example,
via the device’s management port) to facilitate those updates.
When configuring multiple security chains, it is a best practice
to deploy enough security chains to provide excess capacity in the
event of a security chain failure. If you enable the firewall to
perform Security Chain Health Checks, and a security chain fails,
the firewall continues to distribute decrypted sessions among the
healthy security chains. If there are not enough healthy chains
to cover the additional load, that single security chain failure
could result in cascading failures as the remaining healthy security
chains are oversubscribed.