Decryption mirroring creates a copy of decrypted traffic
from a firewall and sends it to a traffic collection tool such as
NetWitness or Solera, which can receive raw packet captures for
archiving and analysis. Organizations that require comprehensive
data capture for forensic and historical purposes or for data leak
prevention (DLP) can install a free license to enable the feature.
After you install the license, connect the traffic collection
tool directly to an Ethernet interface on the firewall and set the Interface Type to Decrypt
Mirror. The firewall simulates a TCP handshake with
the collection tool and then sends every data packet through that
interface, decrypted (as cleartext).
Decryption port mirroring is not available on the VM-Series
for public cloud platforms (AWS, Azure, Google Cloud Platform) and
VMware NSX.
Keep in mind that the decryption, storage, inspection, and/or
use of SSL traffic is governed in certain countries and user consent
might be required in order to use the decryption mirror feature.
Additionally, use of this feature could enable malicious users with
administrative access to the firewall to harvest usernames, passwords,
social security numbers, credit card numbers, or other sensitive
information submitted using an encrypted channel. Palo Alto Networks recommends
that you consult with your corporate counsel before activating and
using this feature in a production environment.
The following graphic shows the process for mirroring decrypted
traffic and the section Configure
Decryption Port Mirroring describes how to license and enable
this feature.