SSL Visibility

Thunder SSLi
SSL Visibility & Decryption

The most comprehensive decryption solution, A10 Thunder® SSLi® (SSL Insight) decrypts traffic across all ports providing SSL Visibility and enabling third-party security devices to analyze all enterprise traffic without compromising performance.

  • Gain Full Visibility
  • Secure Key Storage
  • Decrypt Traffic
  • Validate Cert. Status
A10 Networks Thunder SSLi


You can eliminate the blind spot introduced by SSL encryption by offloading CPU-intensive SSL decryption and encryption functions from third-party security devices, while ensuring compliance with privacy standards.

While dedicated security devices provide in-depth inspection and analysis of network traffic, they are not designed to decrypt and encrypt traffic at high speeds. In fact, many security products do not have the ability to decrypt traffic at all.

This solution boosts the performance of the security infrastructure by decrypting traffic and forwarding it to one or more third-party security devices, such as a firewall for deep packet inspection (DPI).

It re-encrypts traffic and forwards it to the intended destination. Response traffic is also inspected in the same way.

SSLi Throughput*1 0.5 Gbps 1.5 Gbps 2.5 Gbps 2.5 Gbps 3.5 Gbps 5.5 Gbps 8 Gbps 10 Gbps 15 Gbps 20 Gbps
SSLi CPS*1 RSA (1K): 500
RSA (2K): 300
RSA (1K): 4k
RSA (2K): 3k
RSA (1K): 8k
RSA (2K): 6k
RSA: 8k
ECDHE: 4.5k
RSA: 12.5k
RSA: 18k
ECDHE: 10k
RSA: 22k
ECDHE: 10k
RSA: 30k
ECDHE: 15k
RSA: 35k
ECDHE: 20k
RSA: 50k
ECDHE: 25k
SSLi Concurrent Sessions 40k 125k 200k 200k 200k 400k 400k 400k 1 Million 1 Million
Network Interface  
- 1 GE Copper 5 6 6 6 0 0 0 0 0 0
- 1 GE Fiber (SFP) 0 2 2 2 4 4 0 0 0 0
- 1/10 GE Fiber (SFP+) 2 2 4 4 4 4 24 8 24 24
- 40 GE Fiber (QSFP+) 0 0 0 0 0 0 4 0 4 4

*1 Tested in single appliance SSLi deployment with maximum SSL option. Cipher "AES128-SHA256" with 2K RSA keys are used for RSA cases, "ECDHE-RSA-AES128-SHA256" with EC P-256 and 2K RSA keys are used for PFS case.


Gain Full Visibility into the Blind Spot

This solution decrypts traffic across all ports and multiple protocols, eliminating the encryption blind spot and enabling the security infrastructure to inspect previously invisible traffic, detect hidden threats and defend against them.

Decrypt Traffic For All Security Devices

To truly secure an enterprise network, from both internal and external threats, organizations require the help of a variety of security devices.

It works with the major security vendors, which may be deployed in a number of ways, ensuring that the whole network is secure against encrypted threats, and interoperates with:

  • Firewalls
  • Secure Web Gateways (SWG)
  • Intrusion Prevention Systems (IPS)
  • Unified Threat Management (UTM) platforms
  • Data Loss Prevention (DLP) products
  • Threat Prevention platforms
  • Network Forensics and Web Monitoring tools

Secure Key Storage

Storing encryption keys on many appliances in the network can introduce serious vulnerabilities. Threat actors can acquire keys from vulnerable points and use them for encrypted attacks or data extraction.

With FIPS 140-2 Level 3-validated internal and external Hardware Security Module (HSM) support, Thunder SSLi reduces decryption points so encryption keys are stored securely.

Validate Certificate Status

Attackers can use invalid certificates to infiltrate networks. If these attacks are not blocked, users can be at risk of multiple attacks.

Thunder SSLi helps the system confirm the validity of certificates it receives from the server by supporting Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP). These protocols help verify the origin certificate is valid.

Ensure Compliance and Privacy

Thunder SSLi allows for selective decryption, making sure that organizations can keep up with industry, government and other compliance and privacy standards. For example, HIPAA compliance may forbid the decryption of private and sensitive healthcare information.

Reduce Operational Costs

This solution offers a centralized point to decrypt enterprise traffic, forwarding it to many inline and non-inline security devices. This eliminates the decryption overhead of each security device, improving performance while maintaining proper security diligence. It also eliminates the need to purchase bigger security devices just to support resource-exhausting decryption and encryption functions.

Simplify Operations and Management

Wizard-based configuration, deployment and management tool, AppCentric Templates make Thunder SSLi the easiest-to-use decryption solution in the industry. With informative dashboards, organizations can track their network with ease. Thunder SSLi also includes an industry-standard CLI, a web user interface and a RESTful API (aXAPI®), which integrates with third-party or custom management consoles.

SSL Visibility AppCentric Templates
AppCentric Templates help users manage their encrypted traffic using a dashboard to visualize SSL traffic, decryption and encryption, bypassing, traffic management using categorization, and more.

Reference Architectures

Traffic Flow Through the Decrypt Zone

Thunder SSLi by A10 Networks provides visibility via a logical decrypt zone where third-party security devices inspect traffic for threats. It can be deployed in a one- or two-appliance configuration.

Traffic Flow Through the Decrypt Zone

Multiple Deployment & Decryption Options

Thunder SSLi may be deployed inline, on the enterprise perimeter, and can decrypt traffic fora variety of security products simultaneously, including inline, non-inline (passive/TAP) and ICAP-enabled devices.

Multiple Deployment Decryption Options

Thunder SSLi