Decryption Broker: Security Chain Health Checks

A decryption broker can monitor the status of security chains to ensure that they are effectively processing decrypted traffic. Periodic health checks monitor:
  • Security device connectivity (Path Monitoring)
  • Security device processing speed and efficiency (HTTP Latency Monitoring)
  • Security device HTTP inspection capabilities (HTTP Monitoring)
For each type of monitoring you enable, you must define the conditions you want to trigger a health check failure. When a security chain fails a health check, the firewall can either:
  • Block existing SSL sessions assigned to the failed security chain. The firewall will only commence to forward new decrypted sessions to that security chain for analysis when the security chain passes a subsequent health check. The traffic flow must pass both the firewall security policy check and the security chain check to be allowed to the Internet.
  • (Layer 3 Security Chain Only) Allow traffic to bypass the failed security chain. Keep in mind that traffic that bypasses a security chain still undergoes firewall decryption and security policy enforcement; however, it does not undergo security chain analysis. This option is only supported with Layer 3 security chains. Because session distribution for Transparent Bridge security chains is policy-based traffic cannot bypass a failed chain as the traffic matched to a policy rule is assigned to a specific chain for inspection.
You might choose if you want the firewall to block sessions or bypass a security chain if a security chain fails based on your organization’s compliance and usability needs.
When configuring multiple security chains, it is a best practice to deploy enough security chains to provide excess capacity in the event of a security chain failure. If you enable the firewall to perform Security Chain Health Checks, and a security chain fails, the firewall continues to distribute decrypted sessions among the healthy security chains. If there are not enough healthy chains to cover the additional load, that single security chain failure could result in cascading failures as the remaining healthy security chains are oversubscribed.

Related Documentation