Decryption mirroring creates a copy of decrypted traffic from a firewall and sends it to a traffic collection tool such as NetWitness or Solera, which can receive raw packet captures for archiving and analysis. Organizations that require comprehensive data capture for forensic and historical purposes or for data leak prevention (DLP) can install a free license to enable the feature.

After you install the license, connect the traffic collection tool directly to an Ethernet interface on the firewall and set the Interface Type to Decrypt Mirror. The firewall simulates a TCP handshake with the collection tool and then sends every data packet through that interface, decrypted (as cleartext).

Keep in mind that the decryption, storage, inspection, and/or use of SSL traffic is governed in certain countries and user consent might be required in order to use the decryption mirror feature. Additionally, use of this feature could enable malicious users with administrative access to the firewall to harvest usernames, passwords, social security numbers, credit card numbers, or other sensitive information submitted using an encrypted channel. Palo Alto Networks recommends that you consult with your corporate counsel before activating and using this feature in a production environment.

The following graphic shows the process for mirroring decrypted traffic and the section Configure Decryption Port Mirroring describes how to license and enable this feature.