Perfect Forward Secrecy (PFS) Support for SSL Decryption

The firewall supports Perfect Forward Secrecy (PFS), which uses different keys for each session so that if a key is compromised, that key can’t be used to decrypt other sessions, only the session from which it was stolen.
PFS is a secure communication protocol that prevents the compromise of one encrypted session from leading to the compromise of multiple encrypted sessions. With PFS, a server generates unique private keys for each secure session it establishes with a client. If a server private key is compromised, only the single session established with that key is vulnerable—an attacker cannot retrieve data from past and future sessions because the server establishes each connection with a uniquely generated key. The firewall decrypts SSL sessions established with PFS key exchange algorithms.
Support for Diffie-Hellman (DHE)-based PFS and elliptical curve Diffie-Hellman (ECDHE)-based PFS is enabled by default (ObjectsDecryption ProfileSSL DecryptionSSL Protocol Settings).
If you use the DHE or ECDHE key exchange algorithms to enable Perfect Forward Secrecy (PFS) Support for SSL Decryption, you cannot use a hardware security module(HSM) to store the private keys for SSL Inbound Inspection.
pfs-algorithms.png

Related Documentation