Decryption Broker
Offload SSL decryption to the Palo Alto Networks
firewall and decrypt traffic only once. A firewall enabled as a
decryption broker forwards clear text traffic to security chains
(sets of inline, third-party appliances) for additional enforcement.
This allows you to consolidate security functions on the firewall,
optimize network performance, and reduce the number of devices in
your security infrastructure.
A decryption broker firewall
uses a pair of designated forwarding interfaces to connect to the
security chain. Together, the firewall and the security chain function
as private analysis network—the clear text traffic flowing through
this network is totally segmented from dataplane traffic. The decryption
broker firewall first inspects the decrypted (now clear text) SSL
traffic, and then sends it to the security chain. If you’ve configured
multiple security chains, the firewall can perform session distribution
to avoid oversubscribing any one chain. Then, last device in a security
chain sends the clear text traffic back to the firewall. The firewall
re-encrypts the traffic and sends it to its destination.
How
you deploy decryption broker might vary depending on what type of
security chain you plan to use. Two types of security chain deployments
are supported: Layer 3 security chains (devices have assigned IP
addresses and are configured with static routes to direct traffic)
and transparent bridge security chains (devices do not have IP addresses
or local routing tables and are serially connected).
Decryption
broker is supported for PA-7000 Series, PA-3200 Series, PA-5200
Series, and VM-Series devices, and is supported only for outbound SSL
traffic (from internal users to the internet) that is being decrypted
using SSL Forward Proxy decryption. To learn
more about decryption broker, and for detailed and complete steps
to enable this feature, see Decryption Broker. Enabling decryption
broker includes:
- Deciding what security chain deployment to use—a Layer 3 security chain or a Transparent Bridge security chain—and follow the guidelines to configure that security chain.
- Activating the free Decryption Broker license.
- Confirming that SSL Forward Proxy decryption is enabled.
- Enabling the firewall to act as a decryption broker with a Layer 3 security chain or a Transparent Bridge security chain. This includes designating a pair of Layer 3 interfaces to connect the firewall to the security chain, and optionally configuring the firewall to forward to multiple security chains.
Related Documentation
Decryption Broker
Decryption Broker Decryption broker allows you to offload SSL decryption to the Palo Alto Networks next-generation firewall and decrypt traffic only once. A firewall enabled ...
Decryption Broker Concepts
Decryption Broker Concepts A firewall acting as a decryption broker uses dedicated decryption forwarding interfaces to send decrypted traffic to a security chain—a set of ...
Decryption Broker: Multiple Security Chains
Decryption Broker: Multiple Security Chains A firewall enabled as a decryption broker supports forwarding to multiple security chains (Layer 3, Transparent Bridge, or a mix ...
How Decryption Broker Works
How Decryption Broker Works A firewall configured to perform SSL Forward Proxy decryption can be enabled as a decryption broker. Decryption broker uses dedicated decryption ...
Configure Decryption Broker with Multiple Transparent Bridg...
Configure Decryption Broker with Multiple Transparent Bridge Security Chains You can configure the firewall to distribute sessions among multiple Multiple Security Chains, where the security ...
Configure Decryption Broker with a Single Transparent Bridg...
Configure Decryption Broker with a Single Transparent Bridge Security Chain Perform the following steps to enable the firewall to act as a decryption broker that ...
Decryption Broker: Forwarding Interfaces
Decryption Broker: Forwarding Interfaces A firewall enabled as a decryption broker uses a pair of dedicated Layer 3 interfaces to forward decrypted traffic to a ...
Decryption Broker: Security Chain Health Checks
Decryption Broker: Security Chain Health Checks A decryption broker can monitor the status of security chains to ensure that they are effectively processing decrypted traffic. ...