Configure Decryption Broker with Multiple Transparent Bridge Security Chains
You can configure the firewall to distribute sessions among multiple Multiple Security Chains, where the security chains are in Transparent Bridge mode. For each Transparent Bridge security chain you want to support, you must configure:
- A pair of decryption forwarding interfaces that forward traffic only to that single Transparent Bridge security chain.
- A Decryption Forwarding profile that specifies settings only for that single Transparent Bridge security chain.
- A Decryption policy rule that specifies only for certain decrypted traffic to be forwarded to that single Transparent Bridge security chain. This allows you to distribute sessions more evenly among multiple Transparent Bridge security chains (in order to avoid oversubscribing any one security chain) based on traffic origin.
- First, follow the steps to Configure
Decryption Broker with a Single Transparent Bridge Security Chain.
For each Transparent Bridge security chain you want to support,
- On the firewall, enable a pair of Layer 3 interfaces to support forwarding of decrypted traffic.
- Create a Decryption Forwarding profile to define settings for the firewall to forward decrypted traffic to a Transparent Bridge security chain.
- Attach each Transparent Bridge Decryption Forwarding
profile to a separate decryption policy rule.In addition to applying the decryption forwarding settings to matching traffic, attaching Transparent Bridge Decryption Forwarding profiles to decryption policies rules allows you to distribute sessions amongst the Transparent Bridge Security chains. Specify a different source address range for each policy rule to dedicate a single Transparent Bridge security chain to analyze and enforce traffic originating from that range.
- Select PoliciesDecryption and select a decryption policy rule.
- Select Source and Add a Source Address range, or click New Address to create a new address objects that identifies traffic originating from a given IP address range. Only traffic originating from this IP address range is forwarded to the associated Transparent Bridge security chain for analysis.
- Select Options.
- Set the Action to Decrypt and Forward.
- Select a Transparent Bridge Forwarding Profile to attach to the policy rule.
- Click OK to save the policy rule and Commit your changes.
- Continue to repeat these steps—associated one Transparent Bridge decryption forwarding profile with one decryption policy—for as many security chains as you want to support.
Decryption Broker: Multiple Security Chains
Decryption Broker: Multiple Security Chains A firewall enabled as a decryption broker supports forwarding to multiple security chains (Layer 3, Transparent Bridge, or a mix ...
Configure Decryption Broker with a Single Transparent Bridg...
Configure Decryption Broker with a Single Transparent Bridge Security Chain Perform the following steps to enable the firewall to act as a decryption broker that ...
Decryption Broker Concepts
Decryption Broker Concepts A firewall acting as a decryption broker uses dedicated decryption forwarding interfaces to send decrypted traffic to a security chain—a set of ...
Decryption Broker Decryption broker allows you to offload SSL decryption to the Palo Alto Networks next-generation firewall and decrypt traffic only once. A firewall enabled ...
Decryption Broker: Transparent Bridge Security Chain
Decryption Broker: Transparent Bridge Security Chain In a transparent bridge security chain network, all security chain devices are configured with two interfaces connected to the ...
Decryption Broker: Forwarding Interfaces
Decryption Broker: Forwarding Interfaces A firewall enabled as a decryption broker uses a pair of dedicated Layer 3 interfaces to forward decrypted traffic to a ...
Transparent Bridge Security Chain Guidelines
Transparent Bridge Security Chain Guidelines Follow these guidelines when configuring Transparent Bridge security chain devices to support decryption brokering: Each security chain device must be ...
Decryption Broker Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear ...
Decryption Broker: Security Chain Health Checks
Decryption Broker: Security Chain Health Checks A decryption broker can monitor the status of security chains to ensure that they are effectively processing decrypted traffic. ...