By default, the firewall will mirror all decrypted traffic to
the interface before security policies lookup, which allows you
to replay events and analyze traffic that generates a threat or
triggers a drop action. If you want to only mirror decrypted traffic
after security policy enforcement, select the
Forwarded Only
check
box. With this option, only traffic that is forwarded through the
firewall is mirrored. This option is useful if you are forwarding
the decrypted traffic to other threat detection devices, such as
a DLP device or another intrusion prevention system (IPS).