Prisma Access
Traffic Replication in Prisma Access
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Traffic Replication in Prisma Access
Prisma Access
Learn how to replicate
Prisma Access
traffic and capture PCAP files for forensics and
analysis in Prisma Access
. Where Can I Use This? | What Do I Need? |
---|---|
|
|
On-premises network recorders have been a powerful tool for organizations to
perform forensic and breach analysis. It is common in on-premises topologies to
implement a parallel infrastructure of tap ports, span ports, or packet brokers that
would deliver a copy of the traffic to be used for such out-of-band analysis.
However, along with the accelerated adoption of hybrid work and cloud,
organizations are migrating to SASE architectures to address these challenges. Adhering
to SASE cloud security solutions created blind spots for these forensic analysis tools,
where a copy of the traffic from a remote user to a SaaS application is no longer
available.
Prisma Access
Traffic Replication is bringing back full visibility into
forensic and post-mortem analysis involving SASE architectures by making available a
copy of the traffic that is traversing Prisma Access
. Some common use cases where
Traffic Replication is instrumental are:- Forensic and Threat Hunting analysis where packet captures provide irrefutable evidence of the attack and the used approach
- Meeting specific regulatory compliance where packet captures need to be stored for a certain amount of time
- Continuing to use any preferred third-party tools that your organization has invested in
- Packet-level network and application performance debugging
Traffic Replication provides access to PCAPs of users' real-world traffic,
thereby enabling the possibilities to detect and remediate threats that could span over
multiple sessions or identify and respond to anomalous behaviors to reduce the risks and
keep the enterprise safe.
When enabling Traffic Replication,
Prisma Access
creates dedicated cloud
storage buckets in each Prisma Access
Compute Location where this feature is enabled and
continuously saves packet capture (PCAP) files containing a replica of the traffic that
is traversing Prisma Access
.You need to provide a
Google Cloud Service Account
that will be used to
share read-only rights to these storage buckets, enabling secure access to the PCAP
files. Additional encryption of the PCAP files at rest is applied, involving a public
key that is shared via a certificate in Prisma Access
. Only you would have the private
key to decrypt and recover the original PCAP files. Prerequisites for Traffic Replication
Before you start configuring traffic replication, be aware of the following
prerequisites.
- Make sure that you have created a service account in Google Cloud Platform (GCP).
- Make sure that you have created a public key that is shared via a certificate in thepage to use for SSL decryption.ObjectsCertificate ManagementCertificatesCustom CertificatesGenerate
- The recommended architecture requires that the compute or service reading the PCAP files from each storage bucket be present in the same GCP region from which the bucket is reading. While reading PCAP files from a storage bucket from a different GCP region or even outside of the GCP cloud might work, these are not supported deployment models.
Learn how to set up traffic replication:
Cloud Management
Cloud Management
Learn how to replicate
Prisma Access
traffic in Prisma Access (Managed by Strata Cloud Manager)
. To configure traffic replication in and access the PCAP files, complete the following
steps.
- Onboard and configure Mobile Users—GlobalProtect for the locations where you want to enable Traffic Replication andCommit and Pushyour changes.You must have the Mobile Users—GlobalProtect locations enabled before enabling traffic replication for those locations.
- (Optional) Apply SSL decryption on the packet captures.
- Go toPrisma Access (Managed by Strata Cloud Manager)and selectand click the gear to edit thePrisma AccessSetupPrisma AccessTraffic ReplicationSettings.
- EnablePacket captures after applying SSL decryption rulesto apply your already-configured SSL decryption policies on the PCAP files.Only traffic that matches with the inline SSL decryption policy will be decrypted.If you select this option, the PCAP files will use the same decryption rules that you have specified in your deployment. If you deselect this option, no decryption will be performed on the PCAP files, regardless of the decryption rules you have configured.
- ForTraffic Replication encryption certificate, select any certificate you have added in thepage orObjectsCertificate ManagementCertificatesCustom CertificatesGenerateImportthe certificate to use for SSL decryption.The certificate consists of a public and private key. Upload the public key inPrisma Access; you keep the private key and use it for decryption when you download the zipped PCAP files from the storage bucket. In this way, you guarantee that only your organization can access the storage bucket where the PCAP files are stored.
- Configure the GCP service account you created in Step 1.Traffic replication is supported only for GCP accounts. This service account is used to share read-only access to the storage buckets where the PCAP files are stored in the locations where you have enabled traffic replication. You create these service accounts in your GCP account using normal GCP service account creation procedures. It is your responsibility to control what users have access to these service accounts. Any users who have both access to the PCAP files and access to the private key would have access to the PCAP files.
- In theAccess Managementarea,Add Accountdetails to share read-only access to the storage buckets where the PCAP files are stored.
- Enter the following parameters:
- Give the account a uniqueAccount Name.
- SpecifyGCPas theTypefor the account.
- Specify theAccountinformation from the GCP service account you created.
- Enter aMember/Username for the GCP service account.
- Configure traffic replication for one or more Mobile User locations.
- In theTraffic Replicationarea, select the locations where you want to enable traffic replication, then selectMobile Users.You select theCompute Locationthat is associated with. Traffic replication is enabled for all Mobile Users clients connected to the selected locations.Prisma AccessLocations
- Savethe configuration.
- Commit and push your changes.
- Select.ManageOperationPush Config
- SelectMobile Users Containerin thePush Scope, thenPush ConfigandPushyour changes.
- Review the push targets andPush.
- Check the status of traffic replication by going to.Prisma AccessSetupPrisma AccessTraffic Replication
- Download the PCAP files.Use theCloud Storage Linksto access the PCAP files in your GCP storage buckets.
- These storage buckets support the same regular operations, commands, and queries as any other GCP storage buckets.
- You can download PCAP data for up to 72 hours. After 72 hours, the files are permanently deleted.
- Files are encrypted using your public key.
- Maximum file size is 200 MB or 5 minutes of packet capture, whichever is smaller.
- List the files in your service by entering entergsutil ls gs://, where<storage_bucket_link>/<storage_bucket_link>is the storage link in your GCP service account where the files are stored.
- Download the files from your service account by entering the entergsutil cp gs://, where:<storage_bucket_link>/<file_name><destination folder>
- <storage_bucket_link>is the storage link in your GCP service account where the files are stored.
- <file_name>is the name of the PCAP file.
- <destination folder>is the folder where you want the PCAP file to be downloaded.
- Unzip the downloaded files.
- Decrypt the downloaded files.
Panorama
Learn how to replicate
Prisma Access
traffic and capture PCAP files for forensics and
analysis. To configure traffic replication and access the PCAP files, complete the following
steps.
- Onboard and configure Mobile Users—GlobalProtect (if configuring traffic replication for mobile users), Remote Networks (if configuring traffic replication for remote networks), or both (if you are configuring traffic replication for both mobile users and remote networks).
- (Optional) Apply SSL decryption on the packet captures.
- Go toand click the gear to edit thePanoramaCloud ServicesConfigurationTraffic ReplicationSettings.
- SelectAllow packet captures after applying decryption rulesto apply your already-configured SSL decryption policies on the PCAP files.If you select this option, the PCAP files will use the same decryption rules that you have specified in your deployment. If you deselect this option, no decryption will be performed on the PCAP files, regardless of the decryption rules you have configured.
- Select theTraffic Replication Encryption Certificate(public key) you created in an earlier step in theMobile_User_Template(for mobile user deployments) orto use for SSL decryption.Remote_Network_Template(for remote network deployments)This step is required. You can select any certificate you have added in thearea in theDeviceCertificate ManagementCertificatesDevice CertificatesMobile_User_Templateor.Remote_Network_Template. If you enable traffic replication for both mobile users and remote networks, put the certificate in both theMobile_User_TemplateandRemote_Network_Template.The certificate consists of a public and private key. Upload the public key inPrisma Access; you keep the private key and use it for decryption when you download the zipped PCAP files from the storage bucket. In this way, you guarantee that only your organization can access the storage bucket where the PCAP files are stored.
- Configure traffic replication for one or more Mobile Users—GlobalProtect locations, remote network locations, or both by selecting the location in theConfigurationarea and selecting the locations where you want to enable traffic replication, then selectingMU-GP,RN, or both.Select theCompute Locationthat is associated with. Traffic replication is enabled for all Mobile Users—GlobalProtect clients, remote network users, or both, that are connected to the selected locations.Prisma AccessLocations
- Add an account that lets you access traffic replication packet capture (PCAP) data.This service account is used to share read-only access to the storage buckets where the PCAP files are stored in the locations where you have enabled traffic replication. You create these service accounts in your GCP account using normal GCP service account creation procedures. It is your responsibility to control what users have access to these service accounts. Any users who have both access to the PCAP files and access to the private key would have access to the PCAP files.
- In theTraffic Replication Accessarea,Addan account.
- Enter the following parameters:
- Give the account a uniqueAccount Name.
- SpecifyGcpas theTypefor the account.Traffic replication is supported only for GCP accounts.
- Specify theAccountinformation from the GCP service account you created.
- Enter aMember/Username for the GCP service account.
- Commit and push your changes, making sure thatMobile Users(for a mobile user deployment),are selected in theRemote Networks(for a remote networks deployment), or bothPush Scope.
- Click.CommitCommit and Push
- Edit Selectionsand, in thePrisma Accesstab, make sure thatMobile UsersandRemote Networksareselected in thePush Scope, then clickOK.ThePush Scopemight not be automatically selected.
- ClickCommit and Push.
- Check the status of traffic replication by going to.PanoramaCloud ServicesStatusTraffic ReplicationTheStorage Linksis the name of the GCP storage bucket where you can access the PCAP files, TheCloud Provider Locationis the location where the GCP instance is onboarded.
- Download the PCAP files using the private key that only you possess.Use theStorage Linksto access the PCAP files in your GCP storage buckets.
- These storage buckets support the same regular operations, commands, and queries as any other GCP storage buckets.
- You can download PCAP data for up to 72 hours. After 72 hours, the files are permanently deleted.
- Files are encrypted using your public key.
- Maximum file size is 200 MB or 5 minutes of packet capture, whichever is smaller.
- List the files in your service by entering entergsutil ls gs://, where<storage_bucket_link>/<storage_bucket_link>is the storage link in your GCP service account where the files are stored.
- Download the files from your service account by entering the entergsutil cp gs://, where:<storage_bucket_link>/<file_name><destination folder>
- <storage_bucket_link>is the storage link in your GCP service account where the files are stored.
- <file_name>is the name of the PCAP file.
- <destination folder>is the folder where you want the PCAP file to be downloaded.
- Unzip the downloaded files.
- Decrypt the downloaded files using the private key that only you possess.