With SSL Forward Proxy decryption, the firewall resides between the internal client and outside server. The firewall uses certificates to establish itself as a trusted third party to the session between the client and the server (For details on certificates, see
Keys and Certificates for Decryption Policies). When the client initiates an SSL session with the server, the firewall intercepts the client SSL request and forwards the SSL request to the server. The server returns a certificate intended for the client that is intercepted by the firewall. If the server certificate is signed by a CA that the firewall trusts, the firewall creates a copy of the server certificate signs it with the firewall Forward Trust certificate and sends the certificate to the client. If the server certificate is signed by a CA that the firewall does not trust, the firewall creates a copy of the server certificate, signs it with the Forward Untrust certificate and sends it to the client. In this case, the client sees a block page warning that the site they’re attempting to connect to is not trusted and the client can choose to proceed or terminate the session. When the client authenticates the certificate, the SSL session is established with the firewall functioning as a trusted forward proxy to the site that the client is accessing.
As the firewall continues to receive SSL traffic from the server that is destined for the client, it decrypts the SSL traffic into clear text traffic and applies decryption and security profiles to the traffic. The traffic is then re-encrypted on the firewall and the firewall forwards the encrypted traffic to the client.