Prepare to Deploy Network Packet Broker

1. Obtain and activate the free Network Packet Broker license.
   1. Log in to the Customer Support Portal.
   2. Select AssetsDevices on the left-hand navigation pane.
   3. Find the device on which you want to enable decryption broker or decryption port mirroring and select Actions (the pencil icon).
   4. Under Activate Licenses, select Activate Feature License
   5. Select the Network Packet Broker free license.
   6. Click Agree and Submit.
2. Install the license on the firewall.
   1. Select DeviceLicenses.
   2. Click Retrieve license keys from the license server.
   3. Verify that the DeviceLicenses page shows that the Network Packet Broker license is now active on the firewall.
   4. Restart the firewall (DeviceSetupOperations). Network Packet Broker is not available for configuration until the firewall restarts.
      You can push the Network Packet Broker license from Panorama to managed firewalls. You must reboot the firewalls to make the license take effect and update the user interface.
3. Enable the App-ID cache for Network Packet Broker.
   1. The App-ID cache is disabled by default. Enable it using the configuration mode CLI command:

      admin@PA-3260# set deviceconfig setting application cache yes

   2. Enable the firewall to use the App-ID cache to identify applications:

      admin@PA-3260# set deviceconfig setting application use-cache-for-identification yes

   Verify the settings show that Application cache is set to yes and Use cache for appid is set to yes:

   admin@PA-3260> show running application setting
   Application setting:
   Application cache             : yes
   Supernode                     : yes
   Heuristics                    : yes
   Cache Threshold               : 1
   Bypass when exceeds queue limit: no
   Traceroute appid              : yes
   Traceroute TTL threshold      : 30
   Use cache for appid           : yes
   Use simple appsigs for ident  : yes
   Use AppID cache on SSL/SNI    : no
   Unknown capture               : on
   Max. unknown sessions         : 5000
   Current unknown sessions      : 33
   Application capture           : off

   Current APPID Signature
      Memory Usage               : 16768  KB (Actual 16461  KB)
         TCP 1 C2S               : regex 11898  states
         TCP 1 S2C               : regex 4549   states
         UDP 1 C2S               : regex 4263   states
         UDP 1 S2C               : regex 1605   states

4. Enable the firewall to Allow forwarding of decrypted content (DeviceSetupContent-ID).
5. Identify the traffic that you want to forward to one or multiple security chains.
6. Identify the topology for each security chain and determine whether to use layer 1 Transparent Bridge forwarding or routed layer 3 forwarding, which determines what type of security chain you configure on the firewall. Considerations include:
   • Whether you want to load-balance traffic across multiple chains (use a routed layer 3 security chain to distribute sessions across multiple chains through a router, switch, or other routing device), use a single chain, or use different security chains for different types of traffic. For multiple layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each security chain because the layer 1 connection is not routed.
   • Whether to use unidirectional or bidirectional traffic flow through the security chain.
7. Decide which pairs of firewall interfaces to use as dedicated Network Packet Broker forwarding interfaces.
   • For layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each layer 1 security chain. You can configure policy rules to send specific traffic to different security chains.
   • For routed layer 3 chains, one dedicated pair of firewall interfaces can load balance traffic among multiple layer 3 security chains through a switch, router, or other routing-capable device.
   • For routed layer 3 chains, you can use multiple pairs of dedicated firewall interfaces to send specific traffic to different security chains using different policy rules.
   Security policy must allow traffic between each paired set of Network Packet Broker interfaces. The intrazone-default Security policy rule allows traffic within the same zone by default. However, if you have a “deny all” policy rule earlier in the policy rulebase, then you must create an explicit allow rule to allow the Network Packet Broker traffic.