Objects > Decryption > Forwarding Profile

You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker. A decryption broker firewall forwards traffic that it has already decrypted and inspected to a security chain—a set of inline, third-party security appliances—for additional enforcement. You can also configure the firewall to provide session distribution for the security chain to ensure that security-chain devices are not oversubscribed. When the firewall receives traffic back from the security chain, the firewall re-encrypts the traffic and forwards it to the appropriate destination.
Before you create a Decryption Forwarding profile to enable decryption brokering, you must:
  • Enable SSL Forward Proxy decryption.
  • Dedicate at least two Layer 3 interfaces on the firewall for forwarding decrypted traffic to the security chain (select
    Network
    Interfaces
    Ethernet
    , edit an interface, select
    Advanced
    Other Info
    , and then enable Decrypt Forward). Repeat this task to enable a second interface as a Decrypt Forward interface.
After you complete these tasks, create a Decryption Forwarding profile to pair the two interfaces and define settings for the security chain to which the firewall will forward decrypted traffic.
See Decryption Broker to learn more about supported decryption broker and security chain deployments and for the full workflow to enable a firewall to act as a decryption broker.
Decryption Forwarding Settings
Description
Name
Give the profile a descriptive name.
Description
Optionally describe the profile settings.
General Tab
Security Chain Type
Select the type of security chain to which the firewall forwards decrypted traffic:
  • Routed (Layer 3)
    : The devices in this type of security chain use Layer 3 interfaces to connect to the security-chain network—each interface must have an assigned IP address and subnet mask. Security-chain devices are configured with static routes (or dynamic routing) to direct inbound and outbound traffic to the next device in the security chain and back to the firewall.
  • Transparent Bridge
    : In a transparent-bridge security-chain network, all security-chain devices are configured with two interfaces connected to the security-chain network. These two dataplane interfaces are configured to be in Transparent Bridge mode; they do not have assigned IP addresses, subnet masks, default gateways, or local routing tables. Security-chain devices in Transparent Bridge mode receive traffic on one interface and then analyze and enforce the traffic before it egresses the other interface on the way to the next inline security-chain device.
Flow Direction
Specify how the firewall directs decrypted inbound and outbound sessions through a security chain: in the same direction (unidirectionally) or in opposite directions (bidirectionally). The flow direction you choose depends on the type of devices that make up your security chain. For example, if a security chain comprises of stateless devices that can examine both sides of a session, you would choose a unidirectional flow.
Primary Interface
Select the primary and secondary interfaces that the firewall will use to forward traffic to a security chain. Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you configure as Decrypt Forward interfaces are displayed.
Secondary Interface
Security Chains Tab
Enable
Enable the security chain.
Name
Give the security chain a descriptive name.
First Device
Select the IPv4 address of the first device and the last device in the security chain or define a new Address Object to easily reference the device.
Last Device
Session Distribution Method
When forwarding to multiple Routed (Layer 3) security chains, choose the method that the firewall will use to distribute decrypted sessions among security chains:
  • IP Modulo
    —The firewall assigns sessions based on the module hash of the source and destination IP addresses.
  • IP Hash
    —The firewall assigns sessions based on the IP hash of the source and destination IP addresses and port numbers.
  • Round Robin
    —The firewall allocates sessions evenly among security chains.
  • Lowest Latency
    —The firewall allocates more sessions to the security chain with the lowest latency. For this method to work as expected, you must also enable Latency Monitoring and HTTP Monitoring (select
    Health Monitor
    ).
Health Monitor Tab
On Health Check Failure
Choose for the firewall to either
Bypass Security Chain
(allow session traffic) or
Block Session
if all security chains associated with this decryption forwarding profile fail a health check.
This means that when a decryption profile is configured with multiple security chains, if a single security chain fails a health check, the firewall performs session distribution across the remaining healthy security chains based on the method specified on the
Security Chains
tab—it only blocks or allow the traffic based on this setting in the event that every security chain fails.
Health Check Failed Condition
Define a health check failure as an event where any of the health monitor conditions are met (an
OR Condition
) or when all of the conditions are met (an
AND Condition
).
Path Monitoring
Enable path, latency, or HTTP monitoring or any combination of the three to identify when security chains are not effectively processing decrypted traffic. For each type of monitoring you enable, define the periods of time and counts that will trigger a health check failure.
Enable:
  • Path monitoring to check device connectivity.
  • Latency monitoring to check device processing speed and efficiency.
  • HTTP monitoring to check device availability and response time.
Latency Monitoring
HTTP Monitoring

Related Documentation