Network Security
Policy Object: Packet Broker Profile
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Policy Object: Packet Broker Profile
Where Can I Use This? | What Do I Need? |
---|---|
|
The Packet Broker profile defines how the traffic
is forwarded to a security chain, which is a set of inline, third-party security
appliances that provides additional security inspection and enforcement. The profile
defines the interfaces used to connect to the security chain, the type of security chain
(Routed Layer 3 or Layer 1 Transparent Bridge), the first and last appliances in a Layer
3 security chain, session distribution (load balancing) among multiple Layer 3 chains,
and health monitoring and actions to take upon a path or HTTP latency failure. You
attach a Packet Broker profile to a Packet Broker security rule. The security rule defines
the traffic to forward to the security chain and the profile defines how to forward that
traffic.
Before you can configure a Packet Broker profile, you must dedicate
at least two Layer 3 interfaces to forward traffic to the security
chain.
Packet Broker Profile
Settings | Description |
---|---|
Name | Give the profile a descriptive name. |
Description | Optionally describe the profile settings
or purpose. |
General Tab | |
Security Chain Type | Select the type of security chain to which
the decrypted traffic is forwarded:
|
Enable IPv6 | (Transparent Bridge mode only) Enable IPv6
traffic forwarding. |
Flow Direction | Select whether traffic enters the security
chain from one interface and exits the security to the other interface,
or if traffic can enter and exit the security chain from both interfaces.
The
flow direction you select depends on the type of appliances in the
security chain. For example, if a security chain has stateless devices
that can examine both sides of a session, you could choose a unidirectional
flow. |
Interface #1 | The Network Packet Broker
interfaces that is used to forward traffic to and receive traffic
from a security chain. You must configure each interface as a Network
Packet Broker interface, as described at the beginning of this help
topic. |
Interface #2 | |
Security Chains Tab Configure
one or multiple (for load balancing or redundancy) Layer 3 security
chains on one pair of Network Packet Broker interfaces. For the Routed
(Layer 3) security chain type, you must configure at
least one security chain to specify where to forward traffic. For
multiple security chains, a switch or other device must handle the
routing between the firewall and the chains. The options
on this tab are only available for Layer 3 (routed) security chains. | |
Enable | Enable the security chain. |
Name | Give the security chain a descriptive name. |
First Device | Enter the IPv4 address of the first and last devices in the security chain or define a new Address Object to easily reference the device. |
Last Device | |
Session Distribution Method | When forwarding to multiple Routed
(Layer 3) security chains, choose the method that is
used to distribute sessions among multiple security chains:
|
Health Monitor Tab | |
On Health Check Failure | When you enable health checks (Path
Monitoring, HTTP Monitoring,
or HTTP Monitoring Latency), you also decide
what happens if a chain (or all chains if there are multiple chains)
fails. If there are multiple chains and one or more chains fail
a health check but at least one chain is still healthy, the traffic
is distributed to the remaining chains based on the Session
Distribution Method. If all of the chains associated
with a pair of Network Packet Broker interfaces, you can:
|
Health Check Failed Condition | If you configure more than one health check
(you can configure all three health checks on a chain), configure
how a failure is defined:
|
Path Monitoring | Enable path, HTTP latency,
or HTTP monitoring, or a combination of the three health checks
to identify when security chains experience a failure, and configure
the metrics that determine when a failure has occurred:
|
Latency Monitoring | |
HTTP Monitoring |