Decryption broker allows you to offload SSL decryption to the Palo Alto Networks next-generation firewall and decrypt traffic only once. A firewall enabled as a decryption broker forwards clear text traffic to security chains (sets of inline, third-party appliances) for additional enforcement.

This allows you to consolidate security functions on the firewall and to simplify your network security deployment: decryption broker eliminates the need for a third-party SSL decryption solution and allows you to reduce the number of third-party devices performing traffic analysis and enforcement. For networks without a dedicated SSL decryption appliance, decryption broker reduces latency because the traffic flow is decrypted only once.

Decryption broker is supported for PA-7000 Series, PA-5200 Series, PA-3200 Series devices and VM-300, VM-500, and VM-700 models. It requires SSL Forward Proxy decryption to be enabled, where the firewall is established as a trusted third party (or man-in-the-middle) to session traffic.