The way the firewall performs SSL Inbound Inspection depends
on the type of key exchange in use—Rivest, Shamir, Adleman (RSA)
or Perfect Forward Secrecy (
PFS). The Diffie-Hellman
exchange (DHE) and Elliptic Curve Diffie-Hellman exchange (ECDHE)
algorithms provide PFS. For the RSA key exchange, the firewall performs
SSL Inbound Inspection without terminating the connection. As the
encrypted session flows through the firewall, the firewall
transparently
makes
a copy of it and decrypts it so that the firewall can apply the
appropriate policy to the traffic. In other words, the firewall
passively observes and decrypts inbound traffic using the server’s
private key without being detected by the client and server.