Deploying NGFW Engines in TLS inspection
TLS Inspection requires two separate secure connections: one from the client to the engine and one from the engine to the server. For this reason, engines must be deployed in inline mode to use TLS Inspection.
TLS Inspection cannot be done for traffic picked up through Capture interfaces.
TLS inspection cannot be used on redundant single inline engines deployed alongside a Firewall cluster using dispatch clustering. In dispatch clustering, traffic is received by one node in the Firewall cluster. The node forwards the traffic to the other Firewall nodes. This can result in a situation where one of the single inline engines only receives one direction of the traffic, and the other single inline engine receives both directions of the traffic. If one engine has created substitute certificates, and traffic is dispatched through a different engine without passing through the engine that created the substitute certificates, the connection fails.