A firewall enabled as a decryption broker supports forwarding
to multiple security chains (Layer 3, Transparent Bridge, or a mix
of both) in order provide redundancy and to balance the analysis
load, avoiding oversubscribing a security chain or a single security
chain device. Because the firewall capacity to decrypt and forward
traffic can exceed the capacity of security chain devices to process
traffic, you can configure the firewall to distribute clear text
sessions to multiple security chain networks for inspection. The
firewall can distribute sessions among both types of security chain
networks, so that security chains can share the inspection load;
however, the methods to enable session distribution varies depending
on whether you are using Layer 3 security chains or Transparent
Bridge security chains.A decryption broker forwarding to multiple
Layer 3 Security Chains can distribute sessions for inspection using one
of four methods:
IP modulo—The firewall assigns sessions based on the
modulo hash of the source and destination IP addresses.
IP hash—The firewall assigns sessions based on the IP hash of
the source and destination IP addresses and port numbers.
Round robin—The firewall allocates sessions evenly amongst the
security chains.
Lowest latency—The firewall allocates more sessions to the security
chain with the lowest latency.
A decryption broker forwarding to multiple Transparent Bridge
Security Chains must be configured to perform policy-based session
distribution; traffic matched to a policy rule is forwarded only
to the security chain associated with that rule. For example, specify
a different source address range for each decryption policy to dedicate
a single Transparent Bridge security chain to analyze and enforce
traffic originating from specified IP address ranges.
When configuring multiple security chains, make sure that you’re deploying
enough security chains to provide excess capacity in the event of
a security chain failure. If you enable the firewall to perform
Security Chain Health Checks, and a security chain fails, the firewall
continues to distribute decrypted sessions among the healthy security
chains. If there are not enough healthy chains to cover the additional
load, that single security chain failure could result in cascading
failures as the remaining healthy security chains are oversubscribed.
The first image below shows a decryption broker deployment with multiple
Layer 3 security chains. Note that a single pair of Decryption Forwarding
Interfaces can forward decrypted traffic to multiple Layer 3 security chains
(up to 64).
The second image below shows a decryption broker deployment with multiple
Transparent Bridge security chains; a dedicated pair of decryption forwarding
interfaces is required to forward to each separate Transparent Bridge
security chain.