A firewall configured to perform SSL Forward Proxy decryption can be enabled as a decryption broker. Decryption broker uses dedicated decryption forwarding interfaces to connect with a security chain, a set of third-party security appliances. The firewall and the security chain together function as private analysis network.

After decrypting and inspecting SSL traffic, the firewall sends only allowed, clear text traffic on to the security chain for additional analysis and enforcement. As the firewall capacity to decrypt SSL traffic exceeds security device processing speeds, you can enable it to distribute decrypted SSL sessions among multiple security chains, in order to avoid oversubscribing any one chain. The first device in the security chain receives the clear text traffic, enforces it, and forwards allowed traffic to the next inline security chain device. The last security chain device sends the remaining allowed traffic back to the firewall. The firewall re-encrypts the traffic and forwards it to its original destination.

Two types of security chain deployments are supported: Layer 3 security chains and Transparent Bridge security chains. You might choose the type of deployment you want to set up based on the devices that make up your security chain (like if you are using stateless or stateful devices). With both security chain deployments, you can choose for the firewall to direct traffic through the security chain either unidirectionally or bidirectionally based on your analysis needs (see Decryption Broker: Security Chain Session Flow to learn more about when to use a unidirectional or bidirectional flow).

The following figure shows how decryption broker works.