Transparent Bridge Security Chain Guidelines

Follow these guidelines when configuring Transparent Bridge security chain devices to support decryption brokering:
  • Each security chain device must be configured with two interfaces in Transparent Bridge mode; these two interfaces connect the device to the security chain network. The security chain devices does not use a local routing table, and the Transparent Bridge interfaces do not have assigned IP addresses, subnet masks, default gateways.
  • Do not include devices that modify IP or TCP headers in a security chain, or be sure to disable any features that perform these functions. If the security chain returns a session to the firewall with a modified IP or TCP header, the firewall drops the sessions as it can no longer match it to the original client-to-server or server-to-client session.
  • When configuring multiple security chains, it is a best practice to deploy enough security chains to provide excess capacity in the event of a security chain failure. If you enable the firewall to perform Security Chain Health Checks, and a security chain fails, the firewall continues to distribute decrypted sessions among the healthy security chains. If there are not enough healthy chains to cover the additional load, that single security chain failure could result in cascading failures as the remaining healthy security chains are oversubscribed.

Related Documentation