Configure Decryption Broker with a Single Transparent Bridge Security Chain
Perform the following steps to enable the firewall to act as a decryption broker that distributes traffic to a Transparent Bridge Security Chain for additional analysis and enforcement. Enabling the firewall as a decryption broker includes:
- Set up a Transparent Bridge security chain that adheres to the Transparent Bridge Security Chain Guidelines.
- Enable a pair of Layer 3 firewall interfaces as decryption forwarding interfaces. Each pair of decryption forwarding interfaces supports one transparent bridge security chain; you’ll need to create multiple decryption forwarding interface pairs to support multiple Transparent Bridge security chains.
- Configure a Decryption Forwarding profile to enable the firewall to forward decrypted sessions to a Transparent Bridge security chain and to monitor security chain performance.
Even if you plan to enable decryption broker with multiple Transparent Bridge security chains, you must perform the following steps first.
- Set up a Transparent Bridge security chain following the Transparent Bridge Security Chain Guidelines.
- Activate the free Decryption Broker license (see Decryption Licenses).
- Confirm that the firewall is enabled to perform SSL Forward
Proxy decryption.Select PoliciesDecryption to Add or modify a decryption policy rule. You can also attach a decryption profile to a decryption policy rule, to perform certificate checks and validate SSL protocols. For example, a decryption profile allows you to block sessions based on certificate status, using unsupported protocols or cipher suits, or if the resources to perform decryption are not available.
- Enable a pair of Layer 3 interfaces to forward decrypted
- View configured interfaces on the NetworkInterfacesEthernet tab.The Interface Type column displays if an interface is configured as a Layer 3 interface. Select a Layer 3 interface and complete the following steps for both Layer 3 interfaces that you want to enable as a Decrypt Forward pair.
- Select the Config tab and assign
the interface to a Virtual Router that has
no configured routes or interfaces used to pass dataplane traffic.The virtual router must be dedicated to the decryption forwarding interfaces to ensure the clear text sessions that the firewall forwards for additional analysis are totally segmented from dataplane traffic.
- Continue to assign the interface to a Security Zone. (Assign both interfaces to the same security zone).
- On the Advanced tab, select Decrypt Forward.
- Click OK to save the interface settings.
- Repeat these steps so that at least two interfaces are
enabled to forward decrypted traffic.A pair of two decryption forwarding interfaces supports a single Transparent Bridge Security Chain. If you want the firewall to distribute decrypted sessions amongst multiple Transparent Bridge security chains, continue to enable a pair of decryption forwarding interfaces for each security chain you want to support.Make sure that the interfaces enabled to forward decrypted traffic are not being used to pass any other type of traffic.
- View configured interfaces on the NetworkInterfacesEthernet tab.
- Create a Decryption Forwarding profile to define settings
for the firewall to forward decrypted traffic to a Transparent Bridge
- Select ObjectsDecryptionForwarding Profile, Add a new Decryption Forwarding Profile, and give the profile a descriptive Name.
- On the General tab, set the Security Chain Type to Transparent Bridge to configure the firewall to forward decrypted traffic to a security chain with Transparent Bridge devices.
- Set the Flow Direction for decrypted traffic the firewall forwards: Unidirectional or Bidirectional.
- Select the Primary Interface and Secondary
Interface the firewall uses to forward traffic to the
security chain.Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you have enabled to be Decrypt Forward interfaces are displayed here.
- Select the Health Monitor tab
to enable the firewall to perform health checks on a Transparent Bridge
- On Health Check Failure,
set the firewall to Block Session.Because Transparent Bridge security chain session distribution is policy-based, traffic cannot bypass a failed security chain, as the traffic matched to a policy rule is assigned to a specific chain for inspection.
- Define a Health Check Failed Condition as an event where any of the health monitor conditions are met (an OR Condition), or when all of the conditions are met (an AND Condition).
- Enable Path Monitoring, HTTP
Latency Monitoring, and/or HTTP Monitoring.
For each type of monitoring you want to enable, define the periods
of time and/or counts that you want to trigger a health check failure.Latency and HTTP monitoring are required to effectively support Lowest Latency session distribution (ObjectsDecryptionForwarding ProfileSecurity ChainsSession Distribution Method).
- On Health Check Failure, set the firewall to Block Session.
- Save the Forwading Profile.
- Attach the Forwarding Profile to a decryption policy rule.The firewall decrypts and inspects traffic the rule matches, and then forwards the clear text traffic to the security chain for further inspection and enforcement.
- Select PoliciesDecryption and select a decryption policy rule.
- Use the policy rule tabs to define the traffic that you
want to forward to the associated Transparent Bridge security chain.For example, select Source and Add a Source Address range, or click New Address to create an address objects that identifies traffic originating from a given IP address range. The policy rule will enforce only traffic that originates from this source.
- Select Options.
- Set the Action to Decrypt and Forward.
- Select a Transparent Bridge Forwarding Profile.
- Click OK to save the policy rule and Commit your changes.
- (Optional) Continue to Configure Decryption Broker with Multiple Transparent Bridge Security Chains.
- Monitor the decrypted traffic that the firewall has forwarded
for additional inspection.
- Select MonitorLogsTraffic and add the filter: (flags has decrypt-forwarded).
- Check the details for a traffic log entry and look for the Decrypt Forwarded flag.
Configure Decryption Broker with Multiple Transparent Bridg...
Configure Decryption Broker with Multiple Transparent Bridge Security Chains You can configure the firewall to distribute sessions among multiple Multiple Security Chains, where the security ...
Decryption Broker Concepts
Decryption Broker Concepts A firewall acting as a decryption broker uses dedicated decryption forwarding interfaces to send decrypted traffic to a security chain—a set of ...
Decryption Broker: Multiple Security Chains
Decryption Broker: Multiple Security Chains A firewall enabled as a decryption broker supports forwarding to multiple security chains (Layer 3, Transparent Bridge, or a mix ...
Decryption Broker: Forwarding Interfaces
Decryption Broker: Forwarding Interfaces A firewall enabled as a decryption broker uses a pair of dedicated Layer 3 interfaces to forward decrypted traffic to a ...
Decryption Broker Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear ...
Objects > Decryption > Forwarding Profile
Objects > Decryption > Forwarding Profile You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker . ...
Decryption Broker Decryption broker allows you to offload SSL decryption to the Palo Alto Networks next-generation firewall and decrypt traffic only once. A firewall enabled ...
Decryption Broker: Transparent Bridge Security Chain
Decryption Broker: Transparent Bridge Security Chain In a transparent bridge security chain network, all security chain devices are configured with two interfaces connected to the ...
How Decryption Broker Works
How Decryption Broker Works A firewall configured to perform SSL Forward Proxy decryption can be enabled as a decryption broker. Decryption broker uses dedicated decryption ...