Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear text traffic to security chains (sets of inline, third-party appliances) for additional enforcement. This allows you to consolidate security functions on the firewall, optimize network performance, and reduce the number of devices in your security infrastructure.

A decryption broker firewall uses a pair of designated forwarding interfaces to connect to the security chain. Together, the firewall and the security chain function as private analysis network—the clear text traffic flowing through this network is totally segmented from dataplane traffic. The decryption broker firewall first inspects the decrypted (now clear text) SSL traffic, and then sends it to the security chain. If you’ve configured multiple security chains, the firewall can perform session distribution to avoid oversubscribing any one chain. Then, last device in a security chain sends the clear text traffic back to the firewall. The firewall re-encrypts the traffic and sends it to its destination.

How you deploy decryption broker might vary depending on what type of security chain you plan to use. Two types of security chain deployments are supported: Layer 3 security chains (devices have assigned IP addresses and are configured with static routes to direct traffic) and transparent bridge security chains (devices do not have IP addresses or local routing tables and are serially connected).

Decryption broker is supported for PA-7000 Series, PA-3200 Series, PA-5200 Series, and VM-Series devices, and is supported only for outbound SSL traffic (from internal users to the internet) that is being decrypted using SSL Forward Proxy decryption. To learn more about decryption broker, and for detailed and complete steps to enable this feature, see Decryption Broker. Enabling decryption broker includes: