Use an SSL Forward Proxy decryption policy to decrypt and inspect SSL/TLS traffic from internal users to the web. SSL Forward Proxy decryption prevents malware concealed as SSL encrypted traffic from being introduced to your corporate network; for example, if an employee is using her Gmail account from her corporate office and opens an email attachment that contains a virus, SSL Forward Proxy decryption will prevent the virus from infecting the client system and entering the corporate network.
With SSL Forward Proxy decryption, the firewall resides between the internal client and outside server. The firewall uses Forward Trust or Forward Untrust certificates to establish itself as a trusted third party to the session between the client and the server (For details on certificates, see
Keys and Certificates for Decryption Policies). When the client initiates an SSL session with the server, the firewall intercepts the client’s SSL request and forwards the SSL request to the server. The server sends a certificate intended for the client that is intercepted by the firewall. If the server’s certificate is signed by a CA that the firewall trusts, the firewall creates a copy of the server’s certificate signed by the Forward Trust certificate and sends the certificate to the client to authenticate. If the server’s certificate is signed by a CA that the firewall does not trust, the firewall creates a copy of the server’s certificate and signs it with the Forward Untrust certificate and sends it to the client. In this case, the client sees a block page warning that the site they’re attempting to connect to is not trusted and the client can choose to proceed or terminate the session. When the client authenticates the certificate, the SSL session is established with the firewall functioning as a trusted forward proxy to the site that the client is accessing.
As the firewall continues to receive SSL traffic from the server that is destined for the client, it decrypts the SSL traffic into clear text traffic and applies security policies to the traffic. The traffic is then re-encrypted on the firewall and the firewall forwards the encrypted traffic to the client.