Where permitted by law, you can decrypt traffic and send
the cleartext (unencrypted) traffic to a device that can archive and
analyze the traffic.
Before you can enable
Decryption
Mirroring, you must obtain and install a Decryption Port Mirror
license. The license is free of charge and can be activated through
the support portal as described in the following procedure. After
you install the Decryption Port Mirror license and reboot the firewall,
you can enable decryption port mirroring.
Keep in mind that
the decryption, storage, inspection, and/or use of SSL traffic is
regulated in certain countries and user consent may be required
in order to use the decryption mirror feature. Additionally, use
of this feature could enable malicious users with administrative
access to the firewall to harvest usernames, passwords, social security
numbers, credit card numbers, or other sensitive information submitted
using an encrypted channel. Palo Alto Networks recommends that you
consult with your corporate counsel before activating and using
this feature in a production environment.