Perfect Forward Secrecy (PFS) Support for SSL Decryption
The firewall supports Perfect Forward Secrecy (PFS),
which uses different keys for each session so that if a key is compromised,
that key can’t be used to decrypt other sessions, only the session from
which it was stolen.
PFS is a secure communication protocol that prevents
the compromise of one encrypted session from leading to the compromise
of multiple encrypted sessions. With PFS, a server generates unique
private keys for each secure session it establishes with a client.
If a server private key is compromised, only the single session
established with that key is vulnerable—an attacker cannot retrieve
data from past and future sessions because the server establishes
each connection with a uniquely generated key. The firewall decrypts
SSL sessions established with PFS key exchange algorithms.
Support for Diffie-Hellman (DHE)-based PFS and elliptical curve
Diffie-Hellman (ECDHE)-based PFS is enabled by default (