Configure Decryption Broker with One or More Layer 3 Security Chain
Perform the following steps to enable the firewall to act as a decryption broker that distributes traffic to a Layer 3 Security Chain for additional analysis and enforcement. Enabling the firewall as a decryption broker includes:
- Set up a Layer 3 security chain that adheres to the Layer 3 Security Chain Guidelines.
- Enable at least two firewall interfaces as decryption forwarding interfaces. A pair of decryption forwarding interfaces can support up to 64 security chains.
- Configure a Decryption Forwarding profile to enable the firewall to forward decrypted sessions to one or multiple security chains, to distribute those sessions amongst multiple security chains, and to monitor security chain health.
- Follow the Layer 3 Security Chain Guidelines to make sure that you’ve set up your security chain to support decryption broker.
- Activate the free Decryption Broker license (see Decryption Licenses).
- Confirm that the firewall is enabled to perform SSL Forward
Proxy decryption.Select PoliciesDecryption to Add or modify a decryption policy rule. You can also attach a decryption profile to a decryption policy rule, to perform certificate checks and to validate SSL protocols. For example, a decryption profile allows you to block sessions based on certificate status, using unsupported protocols or cipher suits, or if the resources to perform decryption are not available.
- Enable a pair of Layer 3 interfaces to forward decrypted
- View configured interfaces on the NetworkInterfacesEthernet tab. The Interface Type column displays if an interface is configured as a Layer 3 interface. Select a Layer 3 interface and complete the following steps for both Layer 3 interfaces that you want to enable as a Decrypt Forward pair.
- Select the Config tab and assign the interface to a Virtual Router that has no configured routes or interfaces used to pass dataplane traffic. The virtual router must be dedicated to the decryption forwarding interfaces to ensure the clear text sessions that the firewall forwards for additional analysis are totally segmented from dataplane traffic.
- Continue to assign the interface to a Security Zone. (Assign both interfaces to the same security zone).
- On the Advanced tab, select Decrypt Forward.
- Click OK to save the interface settings.
- Repeat these steps for an even number of interfaces, pairing two as you go.
- Make sure that the interfaces enabled to forward decrypted traffic are not being used to pass any other type of traffic.
- Create a Decryption Forwarding profile to define settings
for the firewall to forward decrypted traffic to a Layer 3 security chain.
- Select ObjectsDecryptionForwarding Profile, Add a new Decryption Forwarding Profile, and give the profile a descriptive Name.
- On the General tab, set the Security Chain Type to Routed (layer 3) to configure the firewall to forward decrypted traffic to a security chain with Layer 3 devices.
- Set the Flow Direction for decrypted traffic the firewall forwards: Unidirectional or Bidirectional.
- Select the Primary Interface and Secondary Interface
the firewall uses to communicate with the security chain.Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here. Your security chain type (Layer 3 or Transparent Bridge) and the traffic flow direction (unidirectional or bidirectional) determine which of the two interfaces forwards allowed, clear text traffic to the security chain, and which interface receives the traffic back from the security chain after it has undergone additional enforcement.
- Click OK to save the decryption profile.
- Connect the firewall to a security chain.
- Select the Security Chains tab and Add a security chain.
- Name and Enable the security chain.
- Enter details for the First Device and Last Device in
the security chain.Give the device a descriptive Name, and select the IPv4 address of the first device in the security chain. Or, you can define a new Address Object to easily reference the device.
- Click OK to save the security chain, and continue to repeat these steps to add another security chain. Or, continue on if you’re only adding a single chain.
- (Multiple Security Chains Only) Continue on the Security
Chains tab and choose the Session Distribution Method for the firewall
to use to distribute decrypted sessions amongst security chains.Choose for session distribution to be based on IP Modulo, IP Hash, Round Robin, or Lowest Latency. The Lowest Latency distribution method requires you to also enable the firewall to perform HTTP Latency Monitoring and HTTP Monitoring on the security chain.
- Select the Health Monitor tab to enable the firewall to
perform Security Chain Health Checks on security chains.If a security chain fails a health check, the firewall can then either block traffic until the security chain passes a subsequent health check and is able to process it, or the firewall can allow traffic to bypass a failed security chain.
- On Health Check Failure, choose for the firewall to either Bypass Security Chain or Block Session.
- Define a Health Check Failed Condition as an event where any of the health monitor conditions are met (an OR Condition), or when all of the conditions are met (an AND Condition).
- Enable Path Monitoring, HTTP Latency Monitoring, and/or
HTTP Monitoring. For each type of monitoring you want to enable,
define the periods of time and/or counts that you want to trigger
a health check failure.Latency and HTTP monitoring are required to effectively support Lowest Latency session distribution (ObjectsDecryptionForwarding ProfileSecurity Chains Session Distribution Method).
- Save the Forwarding profile.
- Attach the Forwarding Profile to a decryption policy rule.The firewall decrypts and inspects traffic the rule matches, and then forwards the clear text traffic to the security chain for further inspection and enforcement.
- Select PoliciesDecryption and select a decryption policy rule.
- Select Options.
- Set the Action to Decrypt and Forward.
- Select the Forwarding Profile you created.
- Click OK to save the policy rule and Commit your changes.
- Monitor the decrypted traffic that the firewalls forwards
for additional inspection.
- Select MonitorLogsTraffic and use the following filter: (flags has decrypt-forwarded).
- Check the details for a traffic log entry and look for the Decrypt Forwarded flag.
Decryption Broker: Multiple Security Chains
Decryption Broker: Multiple Security Chains A firewall enabled as a decryption broker supports forwarding to multiple security chains (Layer 3, Transparent Bridge, or a mix ...
Decryption Broker Concepts
Decryption Broker Concepts A firewall acting as a decryption broker uses dedicated decryption forwarding interfaces to send decrypted traffic to a security chain—a set of ...
Objects > Decryption > Forwarding Profile
Objects > Decryption > Forwarding Profile You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker . ...
Configure Decryption Broker with a Single Transparent Bridg...
Configure Decryption Broker with a Single Transparent Bridge Security Chain Perform the following steps to enable the firewall to act as a decryption broker that ...
Decryption Broker Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear ...
Decryption Broker: Security Chain Health Checks
Decryption Broker: Security Chain Health Checks A decryption broker can monitor the status of security chains to ensure that they are effectively processing decrypted traffic. ...
Configure Decryption Broker with Multiple Transparent Bridg...
Configure Decryption Broker with Multiple Transparent Bridge Security Chains You can configure the firewall to distribute sessions among multiple Multiple Security Chains, where the security ...
Layer 3 Security Chain Guidelines
Layer 3 Security Chain Guidelines Follow these guidelines to set up Layer 3 security chain devices to support decryption broker: Configure security chain devices with ...
Decryption Broker Decryption broker allows you to offload SSL decryption to the Palo Alto Networks next-generation firewall and decrypt traffic only once. A firewall enabled ...