Network Packet Broker filters and forwards network traffic to an external security chain of one or more third-party security appliances. Network Packet Broker replaces the Decryption Broker feature introduced in PAN-OS 8.1 and expands its capabilities to include forwarding non-decrypted TLS traffic and non-TLS traffic (cleartext) as well as decrypted TLS traffic. The ability to handle all types of traffic is especially valuable in very high security environments such as financial and government institutions.

Network Packet Broker is supported for PA-7000 Series, PA-7000b, PA-5400 Series, PA-5200 Series, PA-3400 Series, and PA-3200 Series devices and VM-300 and VM-700 models. It requires SSL Forward Proxy decryption to be enabled, where the firewall is established as a trusted third party (or man-in-the-middle) to session traffic.