Objects > Decryption > Forwarding Profile

You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker. A decryption broker firewall forwards traffic that it has already decrypted and inspected to a security chain—a set of inline, third-party security appliances—for additional enforcement. You can also configure the firewall to provide session distribution for the security chain to ensure that security-chain devices are not oversubscribed. When the firewall receives traffic back from the security chain, the firewall re-encrypts the traffic and forwards it to the appropriate destination.

Before you create a Decryption Forwarding profile to enable decryption brokering, you must:

Enable SSL Forward Proxy decryption.

Dedicate at least two Layer 3 interfaces on the firewall for forwarding decrypted traffic to the security chain (select

Network

Interfaces

Ethernet

, edit an interface, select

Advanced

Other Info

, and then enable Decrypt Forward). Repeat this task to enable a second interface as a Decrypt Forward interface.

After you complete these tasks, create a Decryption Forwarding profile to pair the two interfaces and define settings for the security chain to which the firewall will forward decrypted traffic.

See Decryption Broker to learn more about supported decryption broker and security chain deployments and for the full workflow to enable a firewall to act as a decryption broker.

Decryption Forwarding Settings	Description
Name	Give the profile a descriptive name.
Description	Optionally describe the profile settings.
General Tab
Security Chain Type	Select the type of security chain to which the firewall forwards decrypted traffic: Routed (Layer 3) : The devices in this type of security chain use Layer 3 interfaces to connect to the security-chain network—each interface must have an assigned IP address and subnet mask. Security-chain devices are configured with static routes (or dynamic routing) to direct inbound and outbound traffic to the next device in the security chain and back to the firewall. Transparent Bridge : In a transparent-bridge security-chain network, all security-chain devices are configured with two interfaces connected to the security-chain network. These two dataplane interfaces are configured to be in Transparent Bridge mode; they do not have assigned IP addresses, subnet masks, default gateways, or local routing tables. Security-chain devices in Transparent Bridge mode receive traffic on one interface and then analyze and enforce the traffic before it egresses the other interface on the way to the next inline security-chain device.
Flow Direction	Specify how the firewall directs decrypted inbound and outbound sessions through a security chain: in the same direction (unidirectionally) or in opposite directions (bidirectionally). The flow direction you choose depends on the type of devices that make up your security chain. For example, if a security chain comprises of stateless devices that can examine both sides of a session, you would choose a unidirectional flow.
Primary Interface	Select the primary and secondary interfaces that the firewall will use to forward traffic to a security chain. Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you configure as Decrypt Forward interfaces are displayed.
Secondary Interface
Security Chains Tab
Enable	Enable the security chain.
Name	Give the security chain a descriptive name.
First Device	Select the IPv4 address of the first device and the last device in the security chain or define a new Address Object to easily reference the device.
Last Device
Session Distribution Method	When forwarding to multiple Routed (Layer 3) security chains, choose the method that the firewall will use to distribute decrypted sessions among security chains: IP Modulo —The firewall assigns sessions based on the module hash of the source and destination IP addresses. IP Hash —The firewall assigns sessions based on the IP hash of the source and destination IP addresses and port numbers. Round Robin —The firewall allocates sessions evenly among security chains. Lowest Latency —The firewall allocates more sessions to the security chain with the lowest latency. For this method to work as expected, you must also enable Latency Monitoring and HTTP Monitoring (select Health Monitor ).
Health Monitor Tab
On Health Check Failure	Choose for the firewall to either Bypass Security Chain (allow session traffic) or Block Session if all security chains associated with this decryption forwarding profile fail a health check. This means that when a decryption profile is configured with multiple security chains, if a single security chain fails a health check, the firewall performs session distribution across the remaining healthy security chains based on the method specified on the Security Chains tab—it only blocks or allow the traffic based on this setting in the event that every security chain fails.
Health Check Failed Condition	Define a health check failure as an event where any of the health monitor conditions are met (an OR Condition ) or when all of the conditions are met (an AND Condition ).
Path Monitoring	Enable path, latency, or HTTP monitoring or any combination of the three to identify when security chains are not effectively processing decrypted traffic. For each type of monitoring you enable, define the periods of time and counts that will trigger a health check failure. Enable: Path monitoring to check device connectivity. Latency monitoring to check device processing speed and efficiency. HTTP monitoring to check device availability and response time.
Latency Monitoring
HTTP Monitoring

Document:PAN-OS® Web Interface Reference

Objects > Decryption > Forwarding Profile

Objects > Decryption > Forwarding Profile

Recommended For You

Document:PAN-OS® Web Interface Reference

Objects > Decryption > Forwarding Profile

Objects > Decryption > Forwarding Profile

Recommended For You

Recommended Videos