Objects > Decryption > Forwarding Profile
You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker. A decryption broker firewall forwards traffic that it has already decrypted and inspected to a security chain—a set of inline, third-party security appliances—for additional enforcement. You can also configure the firewall to provide session distribution for the security chain to ensure that security-chain devices are not oversubscribed. When the firewall receives traffic back from the security chain, the firewall re-encrypts the traffic and forwards it to the appropriate destination.
Before you create a Decryption Forwarding profile to enable decryption brokering, you must:
- Enable SSL Forward Proxy decryption.
- Dedicate at least two Layer 3 interfaces on the firewall for forwarding decrypted traffic to the security chain (select, edit an interface, selectNetworkInterfacesEthernet, and then enable Decrypt Forward). Repeat this task to enable a second interface as a Decrypt Forward interface.AdvancedOther Info
After you complete these tasks, create a Decryption Forwarding profile to pair the two interfaces and define settings for the security chain to which the firewall will forward decrypted traffic.
See Decryption Broker to learn more about supported decryption broker and security chain deployments and for the full workflow to enable a firewall to act as a decryption broker.
Decryption Forwarding Settings
Give the profile a descriptive name.
Optionally describe the profile settings.
Security Chain Type
Select the type of security chain to which the firewall forwards decrypted traffic:
Specify how the firewall directs decrypted inbound and outbound sessions through a security chain: in the same direction (unidirectionally) or in opposite directions (bidirectionally). The flow direction you choose depends on the type of devices that make up your security chain. For example, if a security chain comprises of stateless devices that can examine both sides of a session, you would choose a unidirectional flow.
Select the primary and secondary interfaces that the firewall will use to forward traffic to a security chain. Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you configure as Decrypt Forward interfaces are displayed.
Security Chains Tab
Enable the security chain.
Give the security chain a descriptive name.
Select the IPv4 address of the first device and the last device in the security chain or define a new Address Object to easily reference the device.
Session Distribution Method
When forwarding to multiple Routed (Layer 3) security chains, choose the method that the firewall will use to distribute decrypted sessions among security chains:
Health Monitor Tab
On Health Check Failure
Choose for the firewall to either
Bypass Security Chain(allow session traffic) or
Block Sessionif all security chains associated with this decryption forwarding profile fail a health check.
This means that when a decryption profile is configured with multiple security chains, if a single security chain fails a health check, the firewall performs session distribution across the remaining healthy security chains based on the method specified on the
Security Chainstab—it only blocks or allow the traffic based on this setting in the event that every security chain fails.
Health Check Failed Condition
Define a health check failure as an event where any of the health monitor conditions are met (an
OR Condition) or when all of the conditions are met (an
Enable path, latency, or HTTP monitoring or any combination of the three to identify when security chains are not effectively processing decrypted traffic. For each type of monitoring you enable, define the periods of time and counts that will trigger a health check failure.