Decryption Broker

Offload SSL decryption to the Palo Alto Networks firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear text traffic to security chains (sets of inline, third-party appliances) for additional enforcement. This allows you to consolidate security functions on the firewall, optimize network performance, and reduce the number of devices in your security infrastructure.
A decryption broker firewall uses a pair of designated forwarding interfaces to connect to the security chain. Together, the firewall and the security chain function as private analysis network—the clear text traffic flowing through this network is totally segmented from dataplane traffic. The decryption broker firewall first inspects the decrypted (now clear text) SSL traffic, and then sends it to the security chain. If you’ve configured multiple security chains, the firewall can perform session distribution to avoid oversubscribing any one chain. Then, last device in a security chain sends the clear text traffic back to the firewall. The firewall re-encrypts the traffic and sends it to its destination.
How you deploy decryption broker might vary depending on what type of security chain you plan to use. Two types of security chain deployments are supported: Layer 3 security chains (devices have assigned IP addresses and are configured with static routes to direct traffic) and transparent bridge security chains (devices do not have IP addresses or local routing tables and are serially connected).
Decryption broker is supported for PA-7000 Series, PA-3200 Series, PA-5200 Series, and VM-Series devices, and is supported only for outbound SSL traffic (from internal users to the internet) that is being decrypted using SSL Forward Proxy decryption . To learn more about decryption broker, and for detailed and complete steps to enable this feature, see Decryption Broker . Enabling decryption broker includes:
  • Deciding what security chain deployment to use—a Layer 3 security chain or a Transparent Bridge security chain—and follow the guidelines to configure that security chain.
  • Activating the free Decryption Broker license.
  • Confirming that SSL Forward Proxy decryption is enabled.
  • Enabling the firewall to act as a decryption broker with a Layer 3 security chain or a Transparent Bridge security chain . This includes designating a pair of Layer 3 interfaces to connect the firewall to the security chain, and optionally configuring the firewall to forward to multiple security chains.

Related Documentation