Objects > Decryption > Forwarding Profile
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Objects > Decryption > Forwarding Profile
You can set up a Decryption Forwarding profile to enable
the firewall to act as a decryption broker. A decryption broker
firewall forwards traffic that it has already decrypted and inspected
to a security chain—a set of inline, third-party security appliances—for
additional enforcement. You can also configure the firewall to provide
session distribution for the security chain to ensure that security-chain
devices are not oversubscribed. When the firewall receives traffic back
from the security chain, the firewall re-encrypts the traffic and
forwards it to the appropriate destination.
Before you create a Decryption Forwarding profile to enable decryption
brokering, you must:
- Enable SSL Forward Proxy decryption.
- Dedicate at least two Layer 3 interfaces on the firewall for forwarding decrypted traffic to the security chain (select NetworkInterfacesEthernet, edit an interface, select AdvancedOther Info, and then enable Decrypt Forward). Repeat this task to enable a second interface as a Decrypt Forward interface.
After you complete these tasks, create a Decryption Forwarding
profile to pair the two interfaces and define settings for the security
chain to which the firewall will forward decrypted traffic.
See Decryption Broker to learn more about
supported decryption broker and security chain deployments and for
the full workflow to enable a firewall to act as a decryption broker.
Decryption Forwarding
Settings | Description |
|---|---|
Name | Give the profile a descriptive name. |
Description | Optionally describe the profile settings. |
General Tab | |
Security Chain Type | Select the type of security chain to which
the firewall forwards decrypted traffic:
|
Flow Direction | Specify how the firewall directs decrypted
inbound and outbound sessions through a security chain: in the same
direction (unidirectionally) or in opposite directions (bidirectionally).
The flow direction you choose depends on the type of devices that make
up your security chain. For example, if a security chain comprises
of stateless devices that can examine both sides of a session, you
would choose a unidirectional flow. |
Primary Interface | Select the primary and secondary
interfaces that the firewall will use to forward traffic to a security
chain. Together, the primary and secondary interfaces form a pair
of decryption forwarding interfaces. Only interfaces that you configure
as Decrypt Forward interfaces are displayed. |
Secondary Interface | |
Security Chains Tab | |
Enable | Enable the security chain. |
Name | Give the security chain a descriptive name. |
First Device | Select the IPv4 address of the first device and the last device in the security chain or define a new Address Object to easily reference the device. |
Last Device | |
Session Distribution Method | When forwarding to multiple Routed (Layer 3)
security chains, choose the method that the firewall will use to
distribute decrypted sessions among security chains:
|
Health Monitor Tab | |
On Health Check Failure | Choose for the firewall to either Bypass
Security Chain (allow session traffic) or Block
Session if all security chains associated with this
decryption forwarding profile fail a health check. This means
that when a decryption profile is configured with multiple security
chains, if a single security chain fails a health check, the firewall
performs session distribution across the remaining healthy security
chains based on the method specified on the Security
Chains tab—it only blocks or allow the traffic based
on this setting in the event that every security chain fails. |
Health Check Failed Condition | Define a health check failure as an event
where any of the health monitor conditions are met (an OR
Condition) or when all of the conditions are met (an AND
Condition). |
Path Monitoring | Enable path, latency, or
HTTP monitoring or any combination of the three to identify when
security chains are not effectively processing decrypted traffic.
For each type of monitoring you enable, define the periods of time
and counts that will trigger a health check failure. Enable:
|
Latency Monitoring | |
HTTP Monitoring | |