A firewall configured to perform SSL Forward Proxy decryption
can be enabled as a decryption broker. Decryption broker uses dedicated
decryption forwarding interfaces to connect with a security chain,
a set of third-party security appliances. The firewall and the security
chain together function as private analysis network.
After decrypting and inspecting SSL traffic, the firewall sends
only allowed, clear text traffic on to the security chain for additional
analysis and enforcement. As the firewall capacity to decrypt SSL
traffic exceeds security device processing speeds, you can enable
it to distribute decrypted SSL sessions among multiple security
chains, in order to avoid oversubscribing any one chain. The first
device in the security chain receives the clear text traffic, enforces
it, and forwards allowed traffic to the next inline security chain
device. The last security chain device sends the remaining allowed
traffic back to the firewall. The firewall re-encrypts the traffic
and forwards it to its original destination.
Two types of security chain deployments are supported: Layer
3 security chains and Transparent Bridge security chains. You might
choose the type of deployment you want to set up based on the devices
that make up your security chain (like if you are using stateless
or stateful devices). With both security chain deployments, you
can choose for the firewall to direct traffic through the security
chain either unidirectionally or bidirectionally based on your analysis
needs (see Decryption
Broker: Security Chain Session Flow to learn more about when
to use a unidirectional or bidirectional flow).
The following figure shows how decryption broker works.