Decryption Broker
Decryption broker allows you to offload SSL decryption
to the Palo Alto Networks next-generation firewall and decrypt traffic
only once. A firewall enabled as a decryption broker forwards clear
text traffic to security chains (sets of inline, third-party appliances)
for additional enforcement.
This allows you to consolidate security functions on the firewall
and to simplify your network security deployment: decryption broker
eliminates the need for a third-party SSL decryption solution and
allows you to reduce the number of third-party devices performing
traffic analysis and enforcement. For networks without a dedicated
SSL decryption appliance, decryption broker reduces latency because
the traffic flow is decrypted only once.
Decryption broker is supported for PA-7000 Series, PA-5200 Series,
PA-3200 Series devices and VM-300, VM-500, and VM-700 models. It
requires SSL Forward Proxy decryption to be enabled, where the firewall
is established as a trusted third party (or man-in-the-middle) to
session traffic.
A firewall interface cannot be both a decryption broker
and a GRE tunnel endpoint.