Decryption Broker: Forwarding Interfaces
A firewall enabled as a decryption broker uses a pair
of dedicated Layer 3 interfaces to forward decrypted traffic to
a security chain for inspection. The decryption forwarding interfaces
must be assigned to a brand new virtual router (one that has no
configured routes or other interfaces used to pass dataplane traffic);
this ensures that the clear text sessions that the firewall forwards
to a security chain for additional analysis are totally segmented
from dataplane traffic.
In a decryption broker deployment with a Layer 3 Security Chain,
a pair of two decryption forwarding interfaces can support up to
64 security chains.
A pair of decryption forwarding interfaces supports a single
Transparent Bridge security chains; however, you can configure multiple
decryption forwarding interface pairs to support multiple transparent
bridge security chains.