Layer 3 Security Chain Guidelines
Follow these guidelines to set up Layer 3 security chain devices to support decryption broker:
- Configure security chain devices with Layer 3 interfaces to connect to the security chain network. These Layer 3 interfaces must have an assigned IP address and subnet mask.
- Do not include devices that modify IP or TCP headers in a security chain, or be sure to disable any features that perform these functions. If the security chain returns a session to the firewall with a modified IP or TCP header, the firewall drops the session as it can no longer match it to the original pre-decrypted session.
- Set the default gateways for security chain devices:
- For all security chain devices except the last device in the chain, configure the default gateway to be the IP address of the next inline device.
- For the last security chain device, configure the default gateway to be the firewall’s Secondary Interface IP address. This ensures that the last device returns the traffic flow to the firewall. (When you configure a decryption forwarding profile, you’ll assign one of the decryption forwarding interfaces to be the decryption broker Secondary Interface. See Objects > Decryption > Forwarding Profile > Secondary Interface, and use this interface’s IP address).
- If you configured the firewall to direct sessions through the security chain bidirectionally, you must also set the default gateway of the first security chain device to be the firewall’s Primary Interface IP address (When you configure a decryption forwarding profile, you’ll assign one of the decryption forwarding interfaces to be the decryption broker Primary Interface. See Objects > Decryption > Forwarding Profile > Primary Interface, and use this interface’s IP address).
- Confirm that the firewall and security chain can effectively communicate: check that the router that directs traffic between the firewall and the security chain is configured correctly, and that security chain devices are configured with static routes to appropriately direct traffic.
- Security chain devices should not originate traffic to a network outside of the security chain. The firewall blocks traffic that it cannot match to the original pre-decrypted session. However, if a security chain device requires Internet access to receive updates, make sure that the device can access a separate network (for example, via the device’s management port) to facilitate those updates.
- When configuring multiple security chains, it is a best practice to deploy enough security chains to provide excess capacity in the event of a security chain failure. If you enable the firewall to perform Security Chain Health Checks, and a security chain fails, the firewall continues to distribute decrypted sessions among the healthy security chains. If there are not enough healthy chains to cover the additional load, that single security chain failure could result in cascading failures as the remaining healthy security chains are oversubscribed.
Transparent Bridge Security Chain Guidelines
Transparent Bridge Security Chain Guidelines Follow these guidelines when configuring Transparent Bridge security chain devices to support decryption brokering: Each security chain device must be ...
Decryption Broker: Multiple Security Chains
Decryption Broker: Multiple Security Chains A firewall enabled as a decryption broker supports forwarding to multiple security chains (Layer 3, Transparent Bridge, or a mix ...
Objects > Decryption > Forwarding Profile
Objects > Decryption > Forwarding Profile You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker . ...
Decryption Broker Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear ...
Decryption Broker: Security Chain Health Checks
Decryption Broker: Security Chain Health Checks A decryption broker can monitor the status of security chains to ensure that they are effectively processing decrypted traffic. ...
Decryption Broker: Layer 3 Security Chain
Decryption Broker: Layer 3 Security Chain In a Layer 3 security chain network, security chain devices use Layer 3 interfaces to connect to the security ...
Decryption Broker Decryption broker allows you to offload SSL decryption to the Palo Alto Networks next-generation firewall and decrypt traffic only once. A firewall enabled ...
Decryption Broker Concepts
Decryption Broker Concepts A firewall acting as a decryption broker uses dedicated decryption forwarding interfaces to send decrypted traffic to a security chain—a set of ...
How Decryption Broker Works
How Decryption Broker Works A firewall configured to perform SSL Forward Proxy decryption can be enabled as a decryption broker. Decryption broker uses dedicated decryption ...