Configure Decryption Port Mirroring
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Decryption Port Mirroring
Where permitted by law, you can decrypt traffic and send
the cleartext (unencrypted) traffic to a device that can archive and
analyze the traffic.
Before you can enable Decryption
Mirroring, you must obtain and install a Decryption Port Mirror
license. The license is free of charge and can be activated through
the support portal as described in the following procedure. After
you install the Decryption Port Mirror license and reboot the firewall,
you can enable decryption port mirroring.
Keep in mind that
the decryption, storage, inspection, and/or use of SSL traffic is
regulated in certain countries and user consent may be required
in order to use the decryption mirror feature. Additionally, use
of this feature could enable malicious users with administrative
access to the firewall to harvest usernames, passwords, social security
numbers, credit card numbers, or other sensitive information submitted
using an encrypted channel. Palo Alto Networks recommends that you
consult with your corporate counsel before activating and using
this feature in a production environment.
- Request a license for each firewall on which you want to enable decryption port mirroring.
- Log in to the Palo Alto Networks Customer Support website and navigate to the Assets tab.Select the entry for the firewall you want to license and select Actions.Select Decryption Port Mirror. A legal notice displays.If you are clear about the potential legal implications and requirements and still want to set up decryption port mirroring, click I understand and wish to proceed.Click Activate.Install the Decryption Port Mirror license on the firewall.
- From the firewall web interface, select DeviceLicenses.Click Retrieve license keys from license server.Verify that the license has been activated on the firewall.Reboot the firewall (DeviceSetupOperations). This feature is not available for configuration until PAN-OS reloads.Enable the firewall to forward decrypted traffic. Superuser permission is required to perform this step.On a firewall with a single virtual system:
- Select DeviceSetupContent - ID.Select the Allow forwarding of decrypted content check box.Click OK to save.On a firewall with multiple virtual systems:
- Select DeviceVirtual System.Select a Virtual System to edit or create a new Virtual System by selecting Add.Select the Allow forwarding of decrypted content check box.Click OK to save.Enable an Ethernet interface to be used for decryption mirroring.
- Select NetworkInterfacesEthernet.Select the Ethernet interface that you want to configure for decryption port mirroring.Select Decrypt Mirror as the Interface Type.This interface type will appear only if the Decryption Port Mirror license is installed.Click OK to save.Enable mirroring of decrypted traffic.
- Select ObjectsDecryption Profile.Select an Interface to be used for Decryption Mirroring.The Interface drop-down contains all Ethernet interfaces that have been defined as the type: Decrypt Mirror.Specify whether to mirror decrypted traffic before or after policy enforcement.By default, the firewall will mirror all decrypted traffic to the interface before security policies lookup, which allows you to replay events and analyze traffic that generates a threat or triggers a drop action. If you want to only mirror decrypted traffic after security policy enforcement, select the Forwarded Only check box. With this option, only traffic that is forwarded through the firewall is mirrored. This option is useful if you are forwarding the decrypted traffic to other threat detection devices, such as a DLP device or another intrusion prevention system (IPS).Click OK to save the decryption profile.Attach the decryption profile rule (with decryption port mirroring enabled) to a decryption policy rule. All traffic decrypted based on the policy rule is mirrored.
- Select PoliciesDecryption.Click Add to configure a decryption policy or select an existing decryption policy to edit.In the Options tab, select Decrypt and the Decryption Profile created in step 4.Click OK to save the policy.Save the configuration.Click Commit.