Configure Decryption Broker with Multiple Transparent Bridge Security Chains

You can configure the firewall to distribute sessions among multiple Multiple Security Chains, where the security chains are in Transparent Bridge mode. For each Transparent Bridge security chain you want to support, you must configure:
  • A pair of decryption forwarding interfaces that forward traffic only to that single Transparent Bridge security chain.
  • A Decryption Forwarding profile that specifies settings only for that single Transparent Bridge security chain.
  • A Decryption policy rule that specifies only for certain decrypted traffic to be forwarded to that single Transparent Bridge security chain. This allows you to distribute sessions more evenly among multiple Transparent Bridge security chains (in order to avoid oversubscribing any one security chain) based on traffic origin.
  1. First, follow the steps to Configure Decryption Broker with a Single Transparent Bridge Security Chain. For each Transparent Bridge security chain you want to support, this includes:
    • On the firewall, enable a pair of Layer 3 interfaces to support forwarding of decrypted traffic.
    • Create a Decryption Forwarding profile to define settings for the firewall to forward decrypted traffic to a Transparent Bridge security chain.
  2. Attach each Transparent Bridge Decryption Forwarding profile to a separate decryption policy rule.
    In addition to applying the decryption forwarding settings to matching traffic, attaching Transparent Bridge Decryption Forwarding profiles to decryption policies rules allows you to distribute sessions amongst the Transparent Bridge Security chains. Specify a different source address range for each policy rule to dedicate a single Transparent Bridge security chain to analyze and enforce traffic originating from that range.
    1. Select PoliciesDecryption and select a decryption policy rule.
    2. Select Source and Add a Source Address range, or click New Address to create a new address objects that identifies traffic originating from a given IP address range. Only traffic originating from this IP address range is forwarded to the associated Transparent Bridge security chain for analysis.
    3. Select Options.
    4. Set the Action to Decrypt and Forward.
    5. Select a Transparent Bridge Forwarding Profile to attach to the policy rule.
    6. Click OK to save the policy rule and Commit your changes.
  3. Continue to repeat these steps—associated one Transparent Bridge decryption forwarding profile with one decryption policy—for as many security chains as you want to support.

Related Documentation