Layer 3 Security Chain Guidelines

Follow these guidelines to set up Layer 3 security chain devices to support decryption broker:
  • Configure security chain devices with Layer 3 interfaces to connect to the security chain network. These Layer 3 interfaces must have an assigned IP address and subnet mask.
  • Do not include devices that modify IP or TCP headers in a security chain, or be sure to disable any features that perform these functions. If the security chain returns a session to the firewall with a modified IP or TCP header, the firewall drops the session as it can no longer match it to the original pre-decrypted session.
  • Set the default gateways for security chain devices:
    • For all security chain devices except the last device in the chain, configure the default gateway to be the IP address of the next inline device.
    • For the last security chain device, configure the default gateway to be the firewall’s Secondary Interface IP address. This ensures that the last device returns the traffic flow to the firewall. (When you configure a decryption forwarding profile, you’ll assign one of the decryption forwarding interfaces to be the decryption broker Secondary Interface. See Objects > Decryption > Forwarding Profile > Secondary Interface, and use this interface’s IP address).
    • If you configured the firewall to direct sessions through the security chain bidirectionally, you must also set the default gateway of the first security chain device to be the firewall’s Primary Interface IP address (When you configure a decryption forwarding profile, you’ll assign one of the decryption forwarding interfaces to be the decryption broker Primary Interface. See Objects > Decryption > Forwarding Profile > Primary Interface, and use this interface’s IP address).
  • Confirm that the firewall and security chain can effectively communicate: check that the router that directs traffic between the firewall and the security chain is configured correctly, and that security chain devices are configured with static routes to appropriately direct traffic.
  • Security chain devices should not originate traffic to a network outside of the security chain. The firewall blocks traffic that it cannot match to the original pre-decrypted session. However, if a security chain device requires Internet access to receive updates, make sure that the device can access a separate network (for example, via the device’s management port) to facilitate those updates.
  • When configuring multiple security chains, it is a best practice to deploy enough security chains to provide excess capacity in the event of a security chain failure. If you enable the firewall to perform Security Chain Health Checks, and a security chain fails, the firewall continues to distribute decrypted sessions among the healthy security chains. If there are not enough healthy chains to cover the additional load, that single security chain failure could result in cascading failures as the remaining healthy security chains are oversubscribed.

Related Documentation