Perfect Forward Secrecy (PFS) Support for SSL Decryption
PFS is a secure communication protocol that prevents
the compromise of one encrypted session from leading to the compromise of
multiple encrypted sessions. With PFS, a server generates unique
private keys for each secure session it establishes with a client.
If a server private key is compromised, only the single session
established with that key is vulnerable—an attacker cannot retrieve
data from past and future sessions because the server establishes
each connected with a uniquely generated key. The firewall decrypts
SSL sessions established with PFS key exchange algorithms, and preserves
PFS protection for past and future sessions.
Support for Diffie-Hellman (DHE)-based PFS and elliptical curve
Diffie-Hellman (ECDHE)-based PFS is enabled by default (ObjectsDecryption ProfileSSL DecryptionSSL Protocol Settings).
If you use the DHE or ECDHE key exchange algorithms to
enable PFS support for SSL decryption, you can use a hardware security module (HSM) to
store the private keys for SSL Inbound Inspection.
When you configure SSL Inbound Inspection and use a PFS
cipher, session resumption is not supported.