Network Packet Broker
Network Packet Broker sends decrypted, encrypted, and cleartext traffic to external
chains of security appliances.
Network Packet Broker filters and forwards network traffic
to an external security chain of one or more third-party security
appliances. Network Packet Broker replaces the Decryption Broker
feature introduced in PAN-OS 8.1 and expands its capabilities to
include forwarding non-decrypted TLS traffic and non-TLS traffic
(cleartext) as well as decrypted TLS traffic. The ability to handle
all types of traffic is especially valuable in very high security
environments such as financial and government institutions.
Network Packet Broker is supported for PA-7000 Series, PA-7000b, PA-5400 Series, PA-5200 Series,
PA-3400 Series, and PA-3200 Series devices and VM-300 and VM-700 models. It requires SSL
Forward Proxy decryption to be enabled, where the firewall is established as a trusted
third party (or man-in-the-middle) to session traffic.
A firewall interface cannot be both a decryption broker
and a GRE tunnel endpoint.