A firewall acting as a decryption broker uses dedicated decryption forwarding interfaces to send decrypted traffic to a security chain—a set of inline, third-party security appliances—for additional analysis. Two types of security chain networks are supported with a decryption broker (Layer 3 security chains and Transparent Bridge security chains), and you can also choose for the firewall to direct traffic through the security chain unidirectionally or bidirectionally. A single firewall can distribute decrypted sessions among up to 64 security chains, and can monitor security chains to ensure that they are effectively processing traffic.
A firewall enabled as a decryption broker uses a pair of dedicated Layer 3 interfaces to forward decrypted traffic to a security chain for inspection. The decryption forwarding interfaces must be assigned to a brand new virtual router (one that has no configured routes or other interfaces used to pass dataplane traffic); this ensures that the clear text sessions that the firewall forwards to a security chain for additional analysis are totally segmented from dataplane traffic.
In a decryption broker deployment with a Layer 3 Security Chain, a pair of two decryption forwarding interfaces can support up to 64 security chains.
A pair of decryption forwarding interfaces supports a single Transparent Bridge security chains; however, you can configure multiple decryption forwarding interface pairs to support multiple transparent bridge security chains.
Layer 3 Security Chain
In a Layer 3 security chain network, security chain devices use Layer 3 interfaces to connect to the security chain network, and each interface must have an assigned IP address and subnet mask. Security chain devices must be configured with static routes to direct inbound and outbound traffic to the next device in the security chain and back to the firewall.
Depending on the security chain session flow you choose (unidirectional or bidirectional), decrypted inbound and outbound sessions pass through the security chain in the same or opposite directions.
Transparent Bridge Security Chain
In a transparent bridge security chain network, all security chain devices are configured with two interfaces connected to the security chain network. These two interfaces are configured to be in Transparent Bridge mode; they do not have assigned IP addresses, subnet masks, default gateways, or local routing tables. Security chain devices in Transparent Bridge mode are serially connected, one after the other. They receive traffic on one interface, and then analyze and enforce the traffic. The traffic egresses the other interface and is passed to the next inline security chain device.