>
    Traffic Replication in Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Advanced Deployments
    4. Prisma Access Mobile Users—GlobalProtect Advanced Deployments
    5. Traffic Replication in Prisma Access
    Download PDF
    Prisma Access

    Traffic Replication in Prisma Access

    Table of Contents

    Traffic Replication in
    Prisma Access

    Learn how to replicate
    Prisma Access
     traffic and capture PCAP files for forensics and analysis in
    Prisma Access
    .
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Traffic Replication requires a minimum 4.1
      Prisma Access
       release for Mobile Users traffic.
    • Traffic Replication requires a minimum 5.0
      Prisma Access
       release for both Mobile Users and Remote Network traffic.
    • Traffic Replication Add-On License
    On-premises network recorders have been a powerful tool for organizations to perform forensic and breach analysis. It is common in on-premises topologies to implement a parallel infrastructure of tap ports, span ports, or packet brokers that would deliver a copy of the traffic to be used for such out-of-band analysis.
    However, along with the accelerated adoption of hybrid work and cloud, organizations are migrating to SASE architectures to address these challenges. Adhering to SASE cloud security solutions created blind spots for these forensic analysis tools, where a copy of the traffic from a remote user to a SaaS application is no longer available.
    Prisma Access
     Traffic Replication is bringing back full visibility into forensic and post-mortem analysis involving SASE architectures by making available a copy of the traffic that is traversing
    Prisma Access
    . Some common use cases where Traffic Replication is instrumental are:
    • Forensic and Threat Hunting analysis where packet captures provide irrefutable evidence of the attack and the used approach
    • Meeting specific regulatory compliance where packet captures need to be stored for a certain amount of time
    • Continuing to use any preferred third-party tools that your organization has invested in
    • Packet-level network and application performance debugging
    Traffic Replication provides access to PCAPs of users' real-world traffic, thereby enabling the possibilities to detect and remediate threats that could span over multiple sessions or identify and respond to anomalous behaviors to reduce the risks and keep the enterprise safe.
    When enabling Traffic Replication,
    Prisma Access
     creates dedicated cloud storage buckets in each
    Prisma Access
     Compute Location where this feature is enabled and continuously saves packet capture (PCAP) files containing a replica of the traffic that is traversing
    Prisma Access
    .
    You need to provide a
    Google Cloud Service Account
     that will be used to share read-only rights to these storage buckets, enabling secure access to the PCAP files. Additional encryption of the PCAP files at rest is applied, involving a public key that is shared via a certificate in
    Prisma Access
    . Only you would have the private key to decrypt and recover the original PCAP files.
    Prerequisites for Traffic Replication
    Before you start configuring traffic replication, be aware of the following prerequisites.
    • Make sure that you have created a service account in Google Cloud Platform (GCP).
    • Make sure that you have created a public key that is shared via a certificate in the
      Objects
      Certificate Management
      Certificates
      Custom Certificates
      Generate
       page to use for SSL decryption.
    • The recommended architecture requires that the compute or service reading the PCAP files from each storage bucket be present in the same GCP region from which the bucket is reading. While reading PCAP files from a storage bucket from a different GCP region or even outside of the GCP cloud might work, these are not supported deployment models.
    Learn how to set up traffic replication:

    Cloud Management

    Learn how to replicate
    Prisma Access
     traffic in
    Prisma Access (Managed by Strata Cloud Manager)
    .
    To configure traffic replication in and access the PCAP files, complete the following steps.
    1. Onboard and configure Mobile Users—GlobalProtect for the locations where you want to enable Traffic Replication and
      Commit and Push
       your changes.
      You must have the Mobile Users—GlobalProtect locations enabled before enabling traffic replication for those locations.
    2. (
      Optional
      ) Apply SSL decryption on the packet captures.
      1. Go to
        Prisma Access (Managed by Strata Cloud Manager)
         and select
        Prisma Access
         Setup
        Prisma Access
        Traffic Replication
         and click the gear to edit the
        Settings
        .
      2. Enable
        Packet captures after applying SSL decryption rules
         to apply your already-configured SSL decryption policies on the PCAP files.
        Only traffic that matches with the inline SSL decryption policy will be decrypted.
        If you select this option, the PCAP files will use the same decryption rules that you have specified in your deployment. If you deselect this option, no decryption will be performed on the PCAP files, regardless of the decryption rules you have configured.
    3. For
      Traffic Replication encryption certificate
      , select any certificate you have added in the
      Objects
      Certificate Management
      Certificates
      Custom Certificates
      Generate
       page or
      Import
       the certificate to use for SSL decryption.
      The certificate consists of a public and private key. Upload the public key in
      Prisma Access
      ; you keep the private key and use it for decryption when you download the zipped PCAP files from the storage bucket. In this way, you guarantee that only your organization can access the storage bucket where the PCAP files are stored.
    4. Configure the GCP service account you created in Step 1.
      Traffic replication is supported only for GCP accounts. This service account is used to share read-only access to the storage buckets where the PCAP files are stored in the locations where you have enabled traffic replication. You create these service accounts in your GCP account using normal GCP service account creation procedures. It is your responsibility to control what users have access to these service accounts. Any users who have both access to the PCAP files and access to the private key would have access to the PCAP files.
      1. In the
        Access Management
         area,
        Add Account
         details to share read-only access to the storage buckets where the PCAP files are stored.
      2. Enter the following parameters:
        • Give the account a unique
          Account Name
          .
        • Specify
          GCP
           as the
          Type
           for the account.
        • Specify the
          Account
           information from the GCP service account you created.
        • Enter a
          Member/User
           name for the GCP service account.
    5. Configure traffic replication for one or more Mobile User locations.
      1. In the
        Traffic Replication
         area, select the locations where you want to enable traffic replication, then select
        Mobile Users
        .
        You select the
        Compute Location
         that is associated with
        Prisma Access
         Locations
        . Traffic replication is enabled for all Mobile Users clients connected to the selected locations.
    6. Save
       the configuration.
    7. Commit and push your changes.
      1. Select
        Manage
        Operation
        Push Config
        .
      2. Select
        Mobile Users Container
         in the
        Push Scope
        , then
        Push Config
         and
        Push
         your changes.
      3. Review the push targets and
        Push
        .
    8. Check the status of traffic replication by going to
      Prisma Access
       Setup
      Prisma Access
      Traffic Replication
      .
    9. Download the PCAP files.
      Use the
      Cloud Storage Links
       to access the PCAP files in your GCP storage buckets.
      • These storage buckets support the same regular operations, commands, and queries as any other GCP storage buckets.
      • You can download PCAP data for up to 72 hours. After 72 hours, the files are permanently deleted.
      • Files are encrypted using your public key.
      • Maximum file size is 200 MB or 5 minutes of packet capture, whichever is smaller.
      1. List the files in your service by entering enter
        gsutil ls gs://
        <storage_bucket_link>
        /
        , where
        <storage_bucket_link>
         is the storage link in your GCP service account where the files are stored.
      2. Download the files from your service account by entering the enter
        gsutil cp gs://
        <storage_bucket_link>
        /
        <file_name>
        <destination folder>
        , where:
        • <storage_bucket_link>
           is the storage link in your GCP service account where the files are stored.
        • <file_name>
           is the name of the PCAP file.
        • <destination folder>
           is the folder where you want the PCAP file to be downloaded.
      3. Unzip the downloaded files.
      4. Decrypt the downloaded files.

    Panorama

    Learn how to replicate
    Prisma Access
     traffic and capture PCAP files for forensics and analysis.
    To configure traffic replication and access the PCAP files, complete the following steps.
    1. Onboard and configure Mobile Users—GlobalProtect (if configuring traffic replication for mobile users), Remote Networks (if configuring traffic replication for remote networks), or both (if you are configuring traffic replication for both mobile users and remote networks).
    2. (
      Optional
      ) Apply SSL decryption on the packet captures.
      1. Go to
        Panorama
        Cloud Services
        Configuration
        Traffic Replication
         and click the gear to edit the
        Settings
        .
      2. Select
        Allow packet captures after applying decryption rules
         to apply your already-configured SSL decryption policies on the PCAP files.
        If you select this option, the PCAP files will use the same decryption rules that you have specified in your deployment. If you deselect this option, no decryption will be performed on the PCAP files, regardless of the decryption rules you have configured.
    3. Select the
      Traffic Replication Encryption Certificate
       (public key) you created in an earlier step in the
      Mobile_User_Template
      (for mobile user deployments) or
      Remote_Network_Template
       (for remote network deployments)
       to use for SSL decryption.
      This step is required. You can select any certificate you have added in the
      Device
      Certificate Management
      Certificates
      Device Certificates
       area in the
      Mobile_User_Template
      or
      Remote_Network_Template
      . If you enable traffic replication for both mobile users and remote networks, put the certificate in both the
      Mobile_User_Template
       and
      Remote_Network_Template
      .
      .
      The certificate consists of a public and private key. Upload the public key in
      Prisma Access
      ; you keep the private key and use it for decryption when you download the zipped PCAP files from the storage bucket. In this way, you guarantee that only your organization can access the storage bucket where the PCAP files are stored.
    4. Configure traffic replication for one or more Mobile Users—GlobalProtect locations, remote network locations, or both by selecting the location in the
      Configuration
       area and selecting the locations where you want to enable traffic replication, then selecting
      MU-GP
      ,
      RN
      , or both.
      Select the
      Compute Location
       that is associated with
      Prisma Access
       Locations
      . Traffic replication is enabled for all Mobile Users—GlobalProtect clients, remote network users, or both, that are connected to the selected locations.
    5. Add an account that lets you access traffic replication packet capture (PCAP) data.
      This service account is used to share read-only access to the storage buckets where the PCAP files are stored in the locations where you have enabled traffic replication. You create these service accounts in your GCP account using normal GCP service account creation procedures. It is your responsibility to control what users have access to these service accounts. Any users who have both access to the PCAP files and access to the private key would have access to the PCAP files.
      1. In the
        Traffic Replication Access
         area,
        Add
         an account.
      2. Enter the following parameters:
        • Give the account a unique
          Account Name
          .
        • Specify
          Gcp
           as the
          Type
           for the account.
          Traffic replication is supported only for GCP accounts.
        • Specify the
          Account
           information from the GCP service account you created.
        • Enter a
          Member/User
           name for the GCP service account.
    6. Commit and push your changes, making sure that
      Mobile Users
      (for a mobile user deployment),
      Remote Networks
       (for a remote networks deployment), or both
       are selected in the
      Push Scope
      .
      1. Click
        Commit
        Commit and Push
        .
      2. Edit Selections
         and, in the
        Prisma Access
         tab, make sure that
        Mobile Users
        and
        Remote Networks
        are
         selected in the
        Push Scope
        , then click
        OK
        .
        The
        Push Scope
         might not be automatically selected.
      3. Click
        Commit and Push
        .
    7. Check the status of traffic replication by going to
      Panorama
      Cloud Services
      Status
      Traffic Replication
      .
      The
      Storage Links
       is the name of the GCP storage bucket where you can access the PCAP files, The
      Cloud Provider Location
       is the location where the GCP instance is onboarded.
    8. Download the PCAP files using the private key that only you possess.
      Use the
      Storage Links
       to access the PCAP files in your GCP storage buckets.
      • These storage buckets support the same regular operations, commands, and queries as any other GCP storage buckets.
      • You can download PCAP data for up to 72 hours. After 72 hours, the files are permanently deleted.
      • Files are encrypted using your public key.
      • Maximum file size is 200 MB or 5 minutes of packet capture, whichever is smaller.
      1. List the files in your service by entering enter
        gsutil ls gs://
        <storage_bucket_link>
        /
        , where
        <storage_bucket_link>
         is the storage link in your GCP service account where the files are stored.
      2. Download the files from your service account by entering the enter
        gsutil cp gs://
        <storage_bucket_link>
        /
        <file_name>
        <destination folder>
        , where:
        • <storage_bucket_link>
           is the storage link in your GCP service account where the files are stored.
        • <file_name>
           is the name of the PCAP file.
        • <destination folder>
           is the folder where you want the PCAP file to be downloaded.
      3. Unzip the downloaded files.
      4. Decrypt the downloaded files using the private key that only you possess.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.