Network Packet Broker
Network Packet Broker sends decrypted, encrypted, and cleartext traffic to external
chains of security appliances.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by PAN-OS or Panorama)
| |
Network Packet Broker filters and forwards network traffic
to an external security chain of one or more third-party security
appliances. Network Packet Broker replaces the Decryption Broker
feature introduced in PAN-OS 8.1 and expands its capabilities to
include forwarding non-decrypted TLS traffic and non-TLS traffic
(cleartext) as well as decrypted TLS traffic. The ability to handle
all types of traffic is especially valuable in very high security
environments such as financial and government institutions.
Network Packet Broker is supported for PA-7000 Series, PA-7000b, PA-5400 Series, PA-5200 Series,
PA-3400 Series, PA-3200 Series devices and VM-300 and VM-700 models. It requires SSL
Forward Proxy decryption to be enabled, where the firewall is established as a trusted
third party (or man-in-the-middle) to session traffic.
A firewall interface cannot be both a decryption broker and a GRE tunnel endpoint.
If you use one or more third-party security appliances (a security chain) as
part of your overall security suite, you can use Network Packet Broker to filter and
forward network traffic to those security appliances. Network Packet Broker replaces the
Decryption Broker feature introduced in PAN-OS 8.1.
Like Decryption Broker, Network Packet Broker provides decryption
capabilities and security chain management. This simplifies your network by eliminating
complications from supporting dedicated devices for those functions and reduces capital
and operating costs. Also like Decryption Broker, Network Packet Broker provides health
checks to ensure that the path to the security chain is healthy and options for handling
traffic if a chain goes down.
Network Packet Broker expands the firewall’s security chain forwarding
capabilities so that you can filter and forward not only decrypted TLS traffic, but also
non-decrypted TLS and non-TLS (cleartext) traffic to one or more security chains based
on applications, users, devices, IP addresses, and zones. These features are especially
valuable in very high security environments such as financial and government
institutions.
Upgrade and downgrade:
Requirements for using Network Packet Broker:
You must install a free Packet Broker license on the firewall. Without the free
license, you can’t access the Packet Broker policy and profile in the interface.
The firewall must have at least two available layer 3 Ethernet interfaces to use
as a dedicated pair of packet broker forwarding interfaces.
You can configure multiple pairs of dedicated Network Packet Broker
forwarding interfaces to connect to different security chains.
For each security chain, the pair of dedicated Network Packet Broker
interfaces must be in the same security zone.
Security policy must allow traffic between each
paired set of Network Packet Broker interfaces. The
intrazone-default Security policy rule allows
traffic within the same zone by default. However, if you have a “deny
all” policy rule earlier in the policy rulebase, then you must create an
explicit allow rule to allow the Network Packet Broker traffic.
The pair of dedicated interfaces connect to the first and last devices in
a security chain.
Network Packet Broker supports routed layer 3 security
chains and Transparent Bridge Layer 1 security chains. For routed layer 3
chains, one pair of packet broker forwarding interfaces can connect to multiple
layer 3 security chains using a properly configured switch, router, or other
device to perform the required layer 3 routing between the firewall and the
security chains.
Dedicated Network Packet Broker forwarding interfaces cannot use dynamic routing
protocols.
None of the devices in the security chain can modify the source or destination IP
address, source or destination port, or protocol of the original session because
the firewall would not be able to match the modified session to the original
session and therefore would drop the traffic.
You must enable the firewall to Allow forwarding of decrypted
content ().
Network Packet Broker supports:
Decrypted TLS, non-decrypted TLS, and non-TLS traffic.
SSL Forward Proxy, SSL Inbound Inspection, and encrypted SSH traffic.
Routed layer 3 security chains.
Transparent Bridge layer 1 security chains.
You can configure both routed layer 3 and layer 1
Transparent Bridge security chains on the same firewall but you must use
different pairs of forwarding interfaces for each type.
Unidirectional traffic flow through the chain: all traffic to the chain egresses
the firewall on one dedicated interface and returns to the firewall on another
dedicated interface, so all traffic flows in the same direction through the pair
of dedicated Network Packet Broker interfaces.
Both firewall forwarding interfaces must be in the same
zone.
Bidirectional traffic flow through the security chain:
Client-to-server (c2s) traffic egresses the firewall on one dedicated
firewall broker interface and returns to the firewall on another
dedicated firewall broker interface.
Server-to-client (s2c) traffic uses the same two dedicated firewall
broker interfaces as c2s traffic, but the traffic flows in the opposite
direction through the security chain. The firewall broker interface on
which the s2c traffic goes to the chain is the same interface on which
the c2s traffic returns from the chain to the firewall. The firewall
broker interface on which the s2c traffic returns to the firewall is the
same interface on which the c2s traffic egresses to the chain.
Both firewall forwarding interfaces must be in the same
zone.
Network Packet Broker does not support multicast, broadcast, or
decrypted SSH traffic.
