Where permitted by law, you can decrypt traffic and send
the cleartext (unencrypted) traffic to a device that can archive
and analyze the traffic.
Before you can enable
Decryption
Mirroring, you must obtain and install a Decryption Port
Mirror license. The license is free of charge and can be activated
through the support portal as described in the following procedure.
After you install the Decryption Port Mirror license and reboot
the firewall, you can enable decryption port mirroring.
Keep
in mind that the decryption, storage, inspection, and/or use of
SSL traffic is regulated in certain countries and user consent may
be required in order to use the decryption mirror feature. Additionally,
use of this feature could enable malicious users with administrative
access to the firewall to harvest usernames, passwords, social security
numbers, credit card numbers, or other sensitive information submitted
using an encrypted channel. Palo Alto Networks recommends that you consult
with your corporate counsel before activating and using this feature
in a production environment.