Perfect Forward Secrecy (PFS) Support for SSL Decryption
PFS is a secure communication protocol that prevents the compromise of one encrypted session from
leading to the compromise of multiple encrypted sessions. With PFS, a server generates
unique private keys for each secure session it establishes with a client. If a server
private key is compromised, only the single session established with that key is
vulnerable—an attacker cannot retrieve data from past and future sessions because the
server establishes each connection with a uniquely generated key. The firewall decrypts
SSL sessions established with PFS key exchange algorithms, and preserves PFS protection
for past and future sessions.
Support for Diffie-Hellman (DHE)-based PFS and elliptical curve
Diffie-Hellman (ECDHE)-based PFS is enabled by default (ObjectsDecryption ProfileSSL DecryptionSSL Protocol Settings).
If you use the DHE or ECDHE key exchange algorithms to
enable PFS support for SSL decryption, you can use a hardware security module (HSM) to
store the private keys for SSL Inbound Inspection.
When you configure SSL Inbound Inspection and use a PFS
cipher, session resumption is not supported.