Traffic Replication in Prisma Access (Strata Cloud Manager)
Focus
Focus
Prisma Access

Traffic Replication in Prisma Access (Strata Cloud Manager)

Table of Contents


Traffic Replication in Prisma Access (Strata Cloud Manager)

Learn how to replicate Prisma Access traffic in Prisma Access (Managed by Strata Cloud Manager).
To configure traffic replication in and access the packet capture (pcap) files, complete the following steps.
  1. Onboard and configure Mobile Users—GlobalProtect for the locations where you want to enable traffic replication and Commit and Push your changes.
    You must have the Mobile Users—GlobalProtect locations enabled before enabling traffic replication for those locations.
  2. (Optional) Apply SSL decryption on the packet captures.
    1. Go to Prisma Access (Managed by Strata Cloud Manager) and select Prisma Access SetupPrisma AccessTraffic Replication and click the gear to edit the Settings.
    2. Enable Packet captures after applying SSL decryption rules to apply your already-configured SSL decryption policies on the pcap files.
      Only traffic that matches with the inline SSL decryption policy will be decrypted.
      If you select this option, the pcap files will use the same decryption rules that you have specified in your deployment. If you deselect this option, no decryption will be performed on the pcap files, regardless of the decryption rules you have configured.
  3. For Traffic Replication encryption certificate, select any certificate you have added in the ObjectsCertificate ManagementCertificatesCustom CertificatesGenerate page or Import the certificate to use for SSL decryption.
    The certificate consists of a public and private key. Upload the public key in Prisma Access; you keep the private key and use it for decryption when you download the zipped pcap files from the storage bucket. In this way, you guarantee that only your organization can access the storage bucket where the pcap files are stored.
  4. Configure the GCP service account you created in Step 1.
    Traffic replication is supported only for GCP accounts. This service account is used to share read-only access to the storage buckets where the pcap files are stored in the locations where you have enabled traffic replication. You can create these service accounts in your GCP account using normal GCP service account creation procedures. It's your responsibility to control what users have access to these service accounts. Any users who have both access to the pcap files and access to the private key would have access to the pcap files.
    1. In the Access Management area, Add Account details to share read-only access to the storage buckets where the pcap files are stored.
    2. Enter the following parameters:
      • Give the account a unique Account Name.
      • Specify GCP as the Type for the account.
      • Specify the Account information from the GCP service account you created.
      • Enter a Member/User name for the GCP service account.
  5. (Optional) If you want to add Pub/Sub notifications that notify you when a new folder or new files are added to a bucket, set up Pub/Sub notifications in your Google Cloud Service Account.
    Prisma Access creates a single Pub/Sub channel per tenant for all locations in that tenant.
    Pub/Sub notifications are supported starting with Prisma Access 5.2. If you have an existing account and want to add Pub/Sub notifications, upgrade to Prisma Access 5.2, then choose one of the following options to add Pub/Sub notifications:
    • Modify the existing Google Cloud Service Account you have already configured in Prisma Access.
    • Add a new account for the existing service account and specify that account in your Prisma Access configuration.
      If you add a new account, you need to disable traffic replication on the existing account and enable traffic replication on the new account.
    • Disable and enable traffic replication on the existing location.
    Prisma Access sends Pub/Sub messages with the heading panw-traffic-replication-file- notifications-<tenantid>, where <tenantid> is the ID of the tenant that’s sending the notifications. The messages are in this format:
    Message {
      data: b''
      ordering_key: ''
      attributes: {
        "bucketId": "xxxx-xx-xxx-xxxxxxxxx-us-west1",
        "eventTime": "2024-04-24T23:12:59.xxxxxxx",
        "eventType": "OBJECT_FINALIZE",
        "notificationConfig": "projects/_/buckets/xxxx-xx-xxx-xxxxxxxxx-us-west1/notificationConfigs/1",
        "objectGeneration": "xxxxxxxxxxxxxxxx",
        "objectId": "instance-group-xxxxxxx/12345678_190000_xxxxx.zip",
        "payloadFormat": "NONE"
      }
    }
    Where:
    • objectGeneration is the generation number of the changed object.
    • objectID is the name of the changed object.
  6. Configure traffic replication for one or more Mobile User locations.
    1. In the Traffic Replication area, select the locations where you want to enable traffic replication, then select Mobile Users.
      You select the Compute Location that is associated with Prisma Access Locations. Traffic replication is enabled for all Mobile Users clients connected to the selected locations.
  7. Save the configuration.
  8. Commit and push your changes.
    1. Select ManageOperationPush Config.
    2. Select Mobile Users Container in the Push Scope, then Push Config and Push your changes.
    3. Review the push targets and Push.
  9. Check the status of traffic replication by going to Prisma Access SetupPrisma AccessTraffic Replication.
  10. Download the pcap files.
    Use the Cloud Storage Links to access the pcap files in your GCP storage buckets.
    • These storage buckets support the same regular operations, commands, and queries as any other GCP storage buckets.
    • You can download pcap data for up to 72 hours. After 72 hours, the files are permanently deleted.
    • Files are encrypted using your public key.
    • Maximum file size is 200 MB or 5 minutes of packet capture, whichever is smaller.
    1. List the files in your service by entering enter gsutil ls gs://<storage_bucket_link>/, where <storage_bucket_link> is the storage link in your GCP service account where the files are stored.
    2. Download the files from your service account by entering the enter gsutil cp gs://<storage_bucket_link>/<file_name> <destination folder>, where:
      • <storage_bucket_link> is the storage link in your GCP service account where the files are stored.
      • <file_name> is the name of the pcap file.
      • <destination folder> is the folder where you want the pcap file to be downloaded.
    3. Unzip the downloaded files.
    4. Decrypt the downloaded files.