Offload SSL decryption to the Palo Alto Networks
firewall and decrypt traffic only once. A firewall enabled as a
decryption broker forwards clear text traffic to security chains
(sets of inline, third-party appliances) for additional enforcement.
This allows you to consolidate security functions on the firewall,
optimize network performance, and reduce the number of devices in
your security infrastructure.
A decryption broker firewall
uses a pair of designated forwarding interfaces to connect to the
security chain. Together, the firewall and the security chain function
as private analysis network—the clear text traffic flowing through
this network is totally segmented from dataplane traffic. The decryption
broker firewall first inspects the decrypted (now clear text) SSL
traffic, and then sends it to the security chain. If you’ve configured
multiple security chains, the firewall can perform session distribution
to avoid oversubscribing any one chain. Then, last device in a security
chain sends the clear text traffic back to the firewall. The firewall
re-encrypts the traffic and sends it to its destination.
you deploy decryption broker might vary depending on what type of
security chain you plan to use. Two types of security chain deployments
are supported: Layer 3 security chains (devices have assigned IP
addresses and are configured with static routes to direct traffic)
and transparent bridge security chains (devices do not have IP addresses
or local routing tables and are serially connected).
broker is supported for PA-7000 Series, PA-3200 Series, PA-5200
Series, and VM-Series devices, and is supported only for outbound SSL
traffic (from internal users to the internet) that is being decrypted
using SSL Forward Proxy decryption. To learn
more about decryption broker, and for detailed and complete steps
to enable this feature, see Decryption Broker. Enabling decryption
what security chain deployment to use—a
Layer 3 security chain or a Transparent Bridge security chain—and
follow the guidelines to configure that security chain.
Enabling the firewall to act as a decryption broker with
a Layer 3 security chain or a Transparent Bridge security chain.
This includes designating a pair of Layer 3 interfaces to connect
the firewall to the security chain, and optionally configuring the
firewall to forward to multiple security chains.