Objects > Decryption > Forwarding Profile
You can set up a Decryption Forwarding profile to enable the firewall to act as a decryption broker. A decryption broker firewall forwards traffic that it has already decrypted and inspected to a security chain—a set of inline, third-party security appliances—for additional enforcement. You can also configure the firewall to provide session distribution for the security chain to ensure that security-chain devices are not oversubscribed. When the firewall receives traffic back from the security chain, the firewall re-encrypts the traffic and forwards it to the appropriate destination.
Before you create a Decryption Forwarding profile to enable decryption brokering, you must:
- Enable SSL Forward Proxy decryption.
- Dedicate at least two Layer 3 interfaces on the firewall for forwarding decrypted traffic to the security chain (select NetworkInterfacesEthernet, edit an interface, select AdvancedOther Info, and then enable Decrypt Forward). Repeat this task to enable a second interface as a Decrypt Forward interface.
After you complete these tasks, create a Decryption Forwarding profile to pair the two interfaces and define settings for the security chain to which the firewall will forward decrypted traffic.
See Decryption Broker to learn more about supported decryption broker and security chain deployments and for the full workflow to enable a firewall to act as a decryption broker.
Decryption Forwarding Settings
Give the profile a descriptive name.
Optionally describe the profile settings.
Security Chain Type
Select the type of security chain to which the firewall forwards decrypted traffic:
Specify how the firewall directs decrypted inbound and outbound sessions through a security chain: in the same direction (unidirectionally) or in opposite directions (bidirectionally). The flow direction you choose depends on the type of devices that make up your security chain. For example, if a security chain comprises of stateless devices that can examine both sides of a session, you would choose a unidirectional flow.
Select the primary and secondary interfaces that the firewall will use to forward traffic to a security chain. Together, the primary and secondary interfaces form a pair of decryption forwarding interfaces. Only interfaces that you configure as Decrypt Forward interfaces are displayed.
Security Chains Tab
Enable the security chain.
Give the security chain a descriptive name.
|Select the IPv4 address of the first device and the last device in the security chain or define a new Address Object to easily reference the device.|
Session Distribution Method
|When forwarding to multiple Routed (Layer 3)
security chains, choose the method that the firewall will use to
distribute decrypted sessions among security chains: |
Health Monitor Tab
On Health Check Failure
Choose for the firewall to either Bypass Security Chain (allow session traffic) or Block Session if all security chains associated with this decryption forwarding profile fail a health check.
This means that when a decryption profile is configured with multiple security chains, if a single security chain fails a health check, the firewall performs session distribution across the remaining healthy security chains based on the method specified on the Security Chains tab—it only blocks or allow the traffic based on this setting in the event that every security chain fails.
Health Check Failed Condition
Define a health check failure as an event where any of the health monitor conditions are met (an OR Condition) or when all of the conditions are met (an AND Condition).
Enable path, latency, or HTTP monitoring or any combination of the three to identify when security chains are not effectively processing decrypted traffic. For each type of monitoring you enable, define the periods of time and counts that will trigger a health check failure.
Decryption Broker Concepts
Decryption Broker Concepts A firewall acting as a decryption broker uses dedicated decryption forwarding interfaces to send decrypted traffic to a security chain—a set of ...
Decryption Broker: Multiple Security Chains
Decryption Broker: Multiple Security Chains A firewall enabled as a decryption broker supports forwarding to multiple security chains (Layer 3, Transparent Bridge, or a mix ...
Configure Decryption Broker with One or More Layer 3 Securi...
Configure Decryption Broker with One or More Layer 3 Security Chain Perform the following steps to enable the firewall to act as a decryption broker ...
Layer 3 Security Chain Guidelines
Layer 3 Security Chain Guidelines Follow these guidelines to set up Layer 3 security chain devices to support decryption broker: Configure security chain devices with ...
Decryption Broker: Security Chain Health Checks
Decryption Broker: Security Chain Health Checks A decryption broker can monitor the status of security chains to ensure that they are effectively processing decrypted traffic. ...
Decryption Broker Decryption broker allows you to offload SSL decryption to the Palo Alto Networks next-generation firewall and decrypt traffic only once. A firewall enabled ...
Configure Decryption Broker with a Single Transparent Bridg...
Configure Decryption Broker with a Single Transparent Bridge Security Chain Perform the following steps to enable the firewall to act as a decryption broker that ...
Decryption Broker: Layer 3 Security Chain
Decryption Broker: Layer 3 Security Chain In a Layer 3 security chain network, security chain devices use Layer 3 interfaces to connect to the security ...
How Decryption Broker Works
How Decryption Broker Works A firewall configured to perform SSL Forward Proxy decryption can be enabled as a decryption broker. Decryption broker uses dedicated decryption ...