Decryption Broker: Multiple Security Chains
A firewall enabled as a decryption broker supports forwarding to multiple security chains (Layer 3, Transparent Bridge, or a mix of both) in order provide redundancy and to balance the analysis load, avoiding oversubscribing a security chain or a single security chain device. Because the firewall capacity to decrypt and forward traffic can exceed the capacity of security chain devices to process traffic, you can configure the firewall to distribute clear text sessions to multiple security chain networks for inspection. The firewall can distribute sessions among both types of security chain networks, so that security chains can share the inspection load; however, the methods to enable session distribution varies depending on whether you are using Layer 3 security chains or Transparent Bridge security chains.A decryption broker forwarding to multiple Layer 3 Security Chains can distribute sessions for inspection using one of four methods:
- IP modulo—The firewall assigns sessions based on the modulo hash of the source and destination IP addresses.
- IP hash—The firewall assigns sessions based on the IP hash of the source and destination IP addresses and port numbers.
- Round robin—The firewall allocates sessions evenly amongst the security chains.
- Lowest latency—The firewall allocates more sessions to the security chain with the lowest latency.
A decryption broker forwarding to multiple Transparent Bridge Security Chains must be configured to perform policy-based session distribution; traffic matched to a policy rule is forwarded only to the security chain associated with that rule. For example, specify a different source address range for each decryption policy to dedicate a single Transparent Bridge security chain to analyze and enforce traffic originating from specified IP address ranges.
When configuring multiple security chains, make sure that you’re deploying enough security chains to provide excess capacity in the event of a security chain failure. If you enable the firewall to perform Security Chain Health Checks, and a security chain fails, the firewall continues to distribute decrypted sessions among the healthy security chains. If there are not enough healthy chains to cover the additional load, that single security chain failure could result in cascading failures as the remaining healthy security chains are oversubscribed.
The first image below shows a decryption broker deployment with multiple Layer 3 security chains. Note that a single pair of Decryption Forwarding Interfaces can forward decrypted traffic to multiple Layer 3 security chains (up to 64).
The second image below shows a decryption broker deployment with multiple Transparent Bridge security chains; a dedicated pair of decryption forwarding interfaces is required to forward to each separate Transparent Bridge security chain.