>
    Strata Copilot
    Traffic Replication in Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. Prisma Access Mobile Users—GlobalProtect Advanced Deployments
    6. Traffic Replication in Prisma Access
    Download PDF
    Prisma Access

    Traffic Replication in Prisma Access

    Table of Contents

    Traffic Replication in Prisma Access

    Learn how to replicate Prisma Access traffic and capture pcap files for forensics and analysis in Prisma Access.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama) for Mobile Users and Remote Networks
    • Prisma Access License
    • Traffic Replication Add-On License
    • Traffic Replication requires a minimum 4.1 Prisma Access release for Mobile Users traffic.
    • Traffic Replication requires a minimum 5.0 Prisma Access release for both Mobile Users and Remote Network traffic.
    • Traffic Replication requires a minimum 6.0.1 Prisma Access release for Explicit Proxy.
    • TLS 1.3 support for Remote Networks and Mobile Users requires a minimum Prisma Access 5.2 release.
    • PubSub requires a minimum Prisma Access 5.2.1 release.
    On-premises network recorders have been a powerful tool for organizations to perform forensic and breach analysis. It's common in on-premises topologies to implement a parallel infrastructure of tap ports, span ports, or packet brokers that would deliver a copy of the traffic to be used for such out-of-band analysis.
    However, along with the accelerated adoption of hybrid work and cloud, organizations are migrating to SASE architectures to address these challenges. Adhering to SASE cloud security solutions created blind spots for these forensic analysis tools, where a copy of the traffic from a remote user to a SaaS application is no longer available.
    Prisma Access Traffic Replication adds full visibility into forensic and post-mortem analysis involving SASE architectures by making available a copy of the traffic that is traversing Prisma Access. Some common use cases where Traffic Replication is instrumental are:
    • Forensic and Threat Hunting analysis where packet captures provide irrefutable evidence of the attack and the approach that was used.
    • Meeting specific regulatory compliance where packet captures need to be stored for a certain amount of time.
    • Continuing to use any preferred third-party tools that your organization has invested in.
    • Packet-level network and application performance debugging.
    Traffic Replication provides access to packet captures (pcaps) of users' real-world traffic, thereby enabling the possibilities to detect and remediate threats that could span over multiple sessions or identify and respond to anomalous behaviors to reduce the risks and keep the enterprise safe.
    When enabling Traffic Replication, Prisma Access creates dedicated cloud storage buckets in each Prisma Access Compute Location where this feature is enabled and continuously saves pcap files containing a replica of the traffic that’s traversing Prisma Access.
    To be notified when a new pcap file is uploaded to the storage bucket, you can subscribe to Pub/Sub notifications. Using Pub/Sub notifications for new pcap files eliminates the need to develop tools that notify you when there is a new folder or new files added to the buckets.
    You need to provide a Google Cloud Service Account that will be used to share read-only rights to these storage buckets, enabling secure access to the pcap files. Additional encryption of the pcap files at rest is applied, involving a public key that is shared via a certificate in Prisma Access. Only you would have the private key to decrypt and recover the original pcap files.
    Prerequisites for Traffic Replication
    Before you start configuring traffic replication, be aware of the following prerequisites.
    • Make sure that you have created a service account in Google Cloud Platform (GCP).
    • Make sure that you have created a public key that is shared via a certificate in the ObjectsCertificate ManagementCertificatesCustom CertificatesGenerate page to use for SSL decryption.
    • The recommended architecture requires that the compute or service reading the pcap files from each storage bucket be present in the same GCP region from which the bucket is reading. While reading pcap files from a storage bucket from a different GCP region or even outside of the GCP cloud might work, these are not supported deployment models.
    Traffic Replication Guidelines
    Follow these guidelines for traffic replication:
    • TLS Support—TLS 1.2 and 1.3 are supported for Mobile Users and Remote Network deployments. TLS 1.3 is not supported for Mobile Users—Explicit Proxy deployments.
    • IPSec Tunnel Algorithms—All IPSec tunnel algorithms that are supported for Mobile Users and Remote Network deployments are also supported with Traffic Replication.
    Learn how to set up traffic replication:

    Traffic Replication in Prisma Access (Strata Cloud Manager)

    Learn how to replicate Prisma Access traffic in Prisma Access (Managed by Strata Cloud Manager).
    To configure traffic replication in and access the packet capture (pcap) files, complete the following steps.
    1. Onboard and configure Mobile Users—GlobalProtect and/or onboard and configure Mobile Users—Explicit Proxy for the locations where you want to enable traffic replication and Commit and Push your changes.
      You must have the Mobile Users—GlobalProtect and/or Mobile Users—Explicit Proxy locations enabled before enabling traffic replication for those locations.
    2. (Optional) Apply SSL decryption on the packet captures.
      1. Go to Prisma Access (Managed by Strata Cloud Manager) and select Prisma Access SetupPrisma AccessTraffic Replication and click the gear to edit the Settings.
      2. Enable Packet captures after applying SSL decryption rules to apply your already-configured SSL decryption policies on the pcap files.
        Only traffic that matches with the inline SSL decryption policy will be decrypted.
        If you select this option, the pcap files will use the same decryption rules that you have specified in your deployment. If you deselect this option, no decryption will be performed on the pcap files, regardless of the decryption rules you have configured.
    3. For Traffic Replication encryption certificate, select any certificate you have added in the ObjectsCertificate ManagementCertificatesCustom CertificatesGenerate page or Import the certificate to use for SSL decryption.
      The certificate consists of a public and private key. Upload the public key in Prisma Access; you keep the private key and use it for decryption when you download the zipped pcap files from the storage bucket. In this way, you guarantee that only your organization can access the storage bucket where the pcap files are stored.
    4. Configure the GCP service account you created in Step 1.
      Traffic replication is supported only for GCP accounts. This service account is used to share read-only access to the storage buckets where the pcap files are stored in the locations where you have enabled traffic replication. You can create these service accounts in your GCP account using normal GCP service account creation procedures. It's your responsibility to control what users have access to these service accounts. Any users who have both access to the pcap files and access to the private key would have access to the pcap files.
      1. In the Access Management area, Add Account details to share read-only access to the storage buckets where the pcap files are stored.
      2. Enter the following parameters:
        • Give the account a unique Account Name.
        • Specify GCP as the Type for the account.
        • Specify the Account information from the GCP service account you created.
        • Enter a Member/User name for the GCP service account.
    5. (Optional) If you want to add Pub/Sub notifications that notify you when a new folder or new files are added to a bucket, set up Pub/Sub notifications in your Google Cloud Service Account.
      Prisma Access creates a single Pub/Sub channel per tenant for all locations in that tenant.
      Pub/Sub notifications are supported starting with Prisma Access 5.2. If you have an existing account and want to add Pub/Sub notifications, upgrade to Prisma Access 5.2, then choose one of the following options to add Pub/Sub notifications:
      • Modify the existing Google Cloud Service Account you have already configured in Prisma Access.
      • Add a new account for the existing service account and specify that account in your Prisma Access configuration.
        If you add a new account, you need to disable traffic replication on the existing account and enable traffic replication on the new account.
      • Disable and enable traffic replication on the existing location.
      Prisma Access sends Pub/Sub messages with the heading panw-traffic-replication-file- notifications-<tenantid>, where <tenantid> is the ID of the tenant that’s sending the notifications. The messages are in this format:
      Message {
  data: b''
  ordering_key: ''
  attributes: {
    "bucketId": "xxxx-xx-xxx-xxxxxxxxx-us-west1",
    "eventTime": "2024-04-24T23:12:59.xxxxxxx",
    "eventType": "OBJECT_FINALIZE",
    "notificationConfig": "projects/_/buckets/xxxx-xx-xxx-xxxxxxxxx-us-west1/notificationConfigs/1",
    "objectGeneration": "xxxxxxxxxxxxxxxx",
    "objectId": "instance-group-xxxxxxx/12345678_190000_xxxxx.zip",
    "payloadFormat": "NONE"
  }
}
      Where:
      • objectGeneration is the generation number of the changed object.
      • objectID is the name of the changed object.
    6. Configure traffic replication for one or more Mobile User locations.
      1. In the Traffic Replication area, select the locations where you want to enable traffic replication, then select Mobile Users.
        You select the Compute Location that is associated with Prisma Access Locations. Traffic replication is enabled for all Mobile Users clients connected to the selected locations.
    7. Save the configuration.
    8. Commit and push your changes.
      1. Select ConfigurationNGFW and Prisma AccessPush Config.
      2. Select Mobile Users Container in the Push Scope, then Push Config and Push your changes.
      3. Review the push targets and Push.
    9. Check the status of traffic replication by going to Prisma Access SetupPrisma AccessTraffic Replication.
    10. Download the pcap files.
      Use the Cloud Storage Links to access the pcap files in your GCP storage buckets.
      • These storage buckets support the same regular operations, commands, and queries as any other GCP storage buckets.
      • You can download pcap data for up to 72 hours. After 72 hours, the files are permanently deleted.
      • Files are encrypted using your public key.
      • Maximum file size is 200 MB or 5 minutes of packet capture, whichever is smaller.
      1. List the files in your service by entering enter gsutil ls gs://<storage_bucket_link>/, where <storage_bucket_link> is the storage link in your GCP service account where the files are stored.
      2. Download the files from your service account by entering the enter gsutil cp gs://<storage_bucket_link>/<file_name> <destination folder>, where:
        • <storage_bucket_link> is the storage link in your GCP service account where the files are stored.
        • <file_name> is the name of the pcap file.
        • <destination folder> is the folder where you want the pcap file to be downloaded.
      3. Unzip the downloaded files.
      4. Decrypt the downloaded files.

    Traffic Replication in Prisma Access (Panorama)

    Learn how to replicate Prisma Access traffic and capture PCAP files for forensics and analysis.
    To configure traffic replication and access the PCAP files, complete the following steps.
    1. Onboard and configure Mobile Users—GlobalProtect (if configuring traffic replication for mobile users), Remote Networks (if configuring traffic replication for remote networks), or both (if you are configuring traffic replication for both mobile users and remote networks).
    2. (Optional) Apply SSL decryption on the packet captures.
      1. Go to PanoramaCloud ServicesConfigurationTraffic Replication and click the gear to edit the Settings.
      2. Select Allow packet captures after applying decryption rules to apply your already-configured SSL decryption policies on the PCAP files.
        If you select this option, the PCAP files will use the same decryption rules that you have specified in your deployment. If you deselect this option, no decryption will be performed on the PCAP files, regardless of the decryption rules you have configured.
    3. Select the Traffic Replication Encryption Certificate (public key) you created in an earlier step in the Mobile_User_Template (for mobile user deployments) or Remote_Network_Template (for remote network deployments) to use for SSL decryption.
      This step is required. You can select any certificate you have added in the DeviceCertificate ManagementCertificatesDevice Certificates area in the Mobile_User_Template or Remote_Network_Template. If you enable traffic replication for both mobile users and remote networks, put the certificate in both the Mobile_User_Template and Remote_Network_Template..
      The certificate consists of a public and private key. Upload the public key in Prisma Access; you keep the private key and use it for decryption when you download the zipped PCAP files from the storage bucket. In this way, you guarantee that only your organization can access the storage bucket where the PCAP files are stored.
    4. Configure traffic replication for one or more Mobile Users—GlobalProtect locations, remote network locations, or both by selecting the location in the Configuration area and selecting the locations where you want to enable traffic replication, then selecting MU-GP, RN, or both.
      Select the Compute Location that is associated with Prisma Access Locations. Traffic replication is enabled for all Mobile Users—GlobalProtect clients, remote network users, or both, that are connected to the selected locations.
    5. Add an account that lets you access traffic replication packet capture (PCAP) data.
      This service account is used to share read-only access to the storage buckets where the PCAP files are stored in the locations where you have enabled traffic replication. You create these service accounts in your GCP account using normal GCP service account creation procedures. It is your responsibility to control what users have access to these service accounts. Any users who have both access to the PCAP files and access to the private key would have access to the PCAP files.
      1. In the Traffic Replication Access area, Add an account.
      2. Enter the following parameters:
        • Give the account a unique Account Name.
        • Specify Gcp as the Type for the account.
          Traffic replication is supported only for GCP accounts.
        • Specify the Account information from the GCP service account you created.
        • Enter a Member/User name for the GCP service account.
    6. (Optional) If you want to add Pub/Sub notifications that notify you when a new folder or new files are added to a bucket, set up Pub/Sub notifications in your Google Cloud Service Account.
      Prisma Access creates a single Pub/Sub channel per tenant for all locations in that tenant.
      Pub/Sub notifications are supported starting with Prisma Access 5.2. If you have an existing account and want to add Pub/Sub notifications, upgrade to Prisma Access 5.2, then choose one of the following options to add Pub/Sub notifications:
      • Modify the existing Google Cloud Service Account you have already configured in Prisma Access.
      • Add a new account for the existing service account and specify that account in your Prisma Access configuration.
        If you add a new account, you need to disable traffic replication on the existing account and enable traffic replication on the new account.
      • Disable and enable traffic replication on the existing location.
      Prisma Access sends Pub/Sub messages with the heading panw-traffic-replication-file- notifications-<tenantid>, where <tenantid> is the ID of the tenant that’s sending the notifications. The messages are in this format:
      Message {
  data: b''
  ordering_key: ''
  attributes: {
    "bucketId": "xxxx-xx-xxx-xxxxxxxxx-us-west1",
    "eventTime": "2024-04-24T23:12:59.xxxxxxx",
    "eventType": "OBJECT_FINALIZE",
    "notificationConfig": "projects/_/buckets/xxxx-xx-xxx-xxxxxxxxx-us-west1/notificationConfigs/1",
    "objectGeneration": "xxxxxxxxxxxxxxxx",
    "objectId": "instance-group-xxxxxxx/12345678_190000_xxxxx.zip",
    "payloadFormat": "NONE"
  }
}
      Where:
      • objectGeneration is the generation number of the changed object.
      • objectID is the name of the changed object.
    7. Commit and push your changes, making sure that Mobile Users (for a mobile user deployment), Remote Networks (for a remote networks deployment), or both are selected in the Push Scope.
      1. Click CommitCommit and Push.
      2. Edit Selections and, in the Prisma Access tab, make sure that Mobile Users and Remote Networks are selected in the Push Scope, then click OK.
        The Push Scope might not be automatically selected.
      3. Click Commit and Push.
    8. Check the status of traffic replication by going to PanoramaCloud ServicesStatusTraffic Replication.
      The Storage Links is the name of the GCP storage bucket where you can access the PCAP files, The Cloud Provider Location is the location where the GCP instance is onboarded.
    9. Download the PCAP files using the private key that only you possess.
      Use the Storage Links to access the PCAP files in your GCP storage buckets.
      • These storage buckets support the same regular operations, commands, and queries as any other GCP storage buckets.
      • You can download PCAP data for up to 72 hours. After 72 hours, the files are permanently deleted.
      • Files are encrypted using your public key.
      • Maximum file size is 200 MB or 5 minutes of packet capture, whichever is smaller.
      1. List the files in your service by entering enter gsutil ls gs://<storage_bucket_link>/, where <storage_bucket_link> is the storage link in your GCP service account where the files are stored.
      2. Download the files from your service account by entering the enter gsutil cp gs://<storage_bucket_link>/<file_name> <destination folder>, where:
        • <storage_bucket_link> is the storage link in your GCP service account where the files are stored.
        • <file_name> is the name of the PCAP file.
        • <destination folder> is the folder where you want the PCAP file to be downloaded.
      3. Unzip the downloaded files.
      4. Decrypt the downloaded files using the private key that only you possess.

    © 2026 Palo Alto Networks, Inc. All rights reserved.