Network Packet Broker
Table of Contents
10.1
Expand all | Collapse all
Network Packet Broker
Use Network Packet Broker to forward traffic to external
security chains
The new Network Packet Broker feature
replaces Decryption Broker and expands its capabilities to filter
and forward not only decrypted TLS traffic, but also non-decrypted
TLS and non-TLS traffic, to one or more third-party appliances (a
security chain). The ability to filter and forward all traffic to
a security chain eliminates complications from dedicated decryption
devices and security chain management devices, thus simplifying
your network and reducing capital and operating costs. Network Packet
Broker checks path health to and from the security chain and filters
traffic based on applications, users, devices, IP addresses, and
zones. These features are especially valuable in very high security
environments such as financial and government institutions that
require offloading traffic to external security chains.
To get started with Network Packet Broker:
- Install a free Network Packet Broker license and enable the App-ID cache. Without the free license, you can’t access the Packet Broker policy and profile configuration.
- Identify the traffic that you want to forward to one or more security chains.
- The firewall must have at least two available Layer 3 Ethernet interfaces to use as dedicated packet broker forwarding interfaces to connect to the first and last devices in a security chain. You can configure multiple pairs of packet broker forwarding interfaces to connect to different security chains. Decide which pairs of firewall interfaces to use as dedicated Network Packet Broker forwarding interfaces.Network Packet Broker supports routed Layer 3 security chains and Transparent Bridge Layer 1 security chains. For routed Layer 3 chains, one pair of packet broker forwarding interfaces can connect to multiple Layer 3 security chains using a properly configured switch, router, or other device to perform the required Layer 3 routing between the firewall and the security chains.
- Configure a Transparent Bridge security chain or a routed layer 3 security chain on the firewall using Packet Broker profiles and Network Packet Broker policy rules.None of the devices in the security chain can modify the source or destination IP address, source or destination port, or protocol of the original session because the firewall would be unable to match the modified session to the original session and therefore would drop the traffic.You can use Policy Optimizer to review and tighten Network Packet Broker policy rules.
Network Packet Broker supports:
- Decrypted TLS, non-decrypted TLS, and non-TLS traffic.
- SSL Forward Proxy and SSL Inbound Inspection traffic.
- Routed Layer 3 security chains.
- Transparent Bridge Layer 1 security chains.You can configure both routed Layer 3 and Layer 1 Transparent Bridge security chains on the same firewall but you must use different pairs of forwarding interfaces for each type.
- Unidirectional traffic flow through the chain: all traffic to the chain egresses the firewall on one dedicated firewall interface and returns to the firewall on another dedicated firewall interface, so all traffic flows in the same direction.Both firewall forwarding interfaces must be in the same zone.
- Bidirectional traffic flow through the security chain:
- Client-to-server (c2s) traffic egresses the firewall on one dedicated firewall broker interface and returns to the firewall on another dedicated firewall broker interface.
- Server-to-client (s2c) traffic uses the same two dedicated firewall broker interfaces as c2s traffic, but the traffic flows in the opposite direction through the security chain. The firewall broker interface on which the s2c traffic goes to the chain is the same interface on which the c2s traffic returns from the chain to the firewall. The firewall broker interface on which the s2c traffic returns to the firewall is the same interface on which the c2s traffic egresses to the chain.
Network Packet Broker does not support multicast, broadcast,
or SSH traffic.