A firewall enabled as a decryption broker uses a pair of dedicated Layer 3 interfaces to forward decrypted traffic to a security chain for inspection. The decryption forwarding interfaces must be assigned to a brand new virtual router (one that has no configured routes or other interfaces used to pass dataplane traffic); this ensures that the clear text sessions that the firewall forwards to a security chain for additional analysis are totally segmented from dataplane traffic.

In a decryption broker deployment with a Layer 3 Security Chain, a pair of two decryption forwarding interfaces can support up to 64 security chains.

A pair of decryption forwarding interfaces supports a single Transparent Bridge security chains; however, you can configure multiple decryption forwarding interface pairs to support multiple transparent bridge security chains.