Prisma Access
Panorama
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Traffic Replication in Prisma Access (Panorama)
Prisma Access
(Panorama
)Learn how to replicate
Prisma Access
traffic and capture PCAP files for forensics and
analysis. To configure traffic replication and access the PCAP files, complete the following
steps.
- Onboard and configure Mobile Users—GlobalProtect (if configuring traffic replication for mobile users), Remote Networks (if configuring traffic replication for remote networks), or both (if you are configuring traffic replication for both mobile users and remote networks).
- (Optional) Apply SSL decryption on the packet captures.
- Go toand click the gear to edit thePanoramaCloud ServicesConfigurationTraffic ReplicationSettings.
- SelectAllow packet captures after applying decryption rulesto apply your already-configured SSL decryption policies on the PCAP files.If you select this option, the PCAP files will use the same decryption rules that you have specified in your deployment. If you deselect this option, no decryption will be performed on the PCAP files, regardless of the decryption rules you have configured.
- Select theTraffic Replication Encryption Certificate(public key) you created in an earlier step in theMobile_User_Template(for mobile user deployments) orto use for SSL decryption.Remote_Network_Template(for remote network deployments)This step is required. You can select any certificate you have added in thearea in theDeviceCertificate ManagementCertificatesDevice CertificatesMobile_User_Templateor.Remote_Network_Template. If you enable traffic replication for both mobile users and remote networks, put the certificate in both theMobile_User_TemplateandRemote_Network_Template.The certificate consists of a public and private key. Upload the public key inPrisma Access; you keep the private key and use it for decryption when you download the zipped PCAP files from the storage bucket. In this way, you guarantee that only your organization can access the storage bucket where the PCAP files are stored.
- Configure traffic replication for one or more Mobile Users—GlobalProtect locations, remote network locations, or both by selecting the location in theConfigurationarea and selecting the locations where you want to enable traffic replication, then selectingMU-GP,RN, or both.Select theCompute Locationthat is associated with. Traffic replication is enabled for all Mobile Users—GlobalProtect clients, remote network users, or both, that are connected to the selected locations.Prisma AccessLocations
- Add an account that lets you access traffic replication packet capture (PCAP) data.This service account is used to share read-only access to the storage buckets where the PCAP files are stored in the locations where you have enabled traffic replication. You create these service accounts in your GCP account using normal GCP service account creation procedures. It is your responsibility to control what users have access to these service accounts. Any users who have both access to the PCAP files and access to the private key would have access to the PCAP files.
- In theTraffic Replication Accessarea,Addan account.
- Enter the following parameters:
- Give the account a uniqueAccount Name.
- SpecifyGcpas theTypefor the account.Traffic replication is supported only for GCP accounts.
- Specify theAccountinformation from the GCP service account you created.
- Enter aMember/Username for the GCP service account.
- Commit and push your changes, making sure thatMobile Users(for a mobile user deployment),are selected in theRemote Networks(for a remote networks deployment), or bothPush Scope.
- Click.CommitCommit and Push
- Edit Selectionsand, in thePrisma Accesstab, make sure thatMobile UsersandRemote Networksareselected in thePush Scope, then clickOK.ThePush Scopemight not be automatically selected.
- ClickCommit and Push.
- Check the status of traffic replication by going to.PanoramaCloud ServicesStatusTraffic ReplicationTheStorage Linksis the name of the GCP storage bucket where you can access the PCAP files, TheCloud Provider Locationis the location where the GCP instance is onboarded.
- Download the PCAP files using the private key that only you possess.Use theStorage Linksto access the PCAP files in your GCP storage buckets.
- These storage buckets support the same regular operations, commands, and queries as any other GCP storage buckets.
- You can download PCAP data for up to 72 hours. After 72 hours, the files are permanently deleted.
- Files are encrypted using your public key.
- Maximum file size is 200 MB or 5 minutes of packet capture, whichever is smaller.
- List the files in your service by entering entergsutil ls gs://, where<storage_bucket_link>/<storage_bucket_link>is the storage link in your GCP service account where the files are stored.
- Download the files from your service account by entering the entergsutil cp gs://, where:<storage_bucket_link>/<file_name><destination folder>
- <storage_bucket_link>is the storage link in your GCP service account where the files are stored.
- <file_name>is the name of the PCAP file.
- <destination folder>is the folder where you want the PCAP file to be downloaded.
- Unzip the downloaded files.
- Decrypt the downloaded files using the private key that only you possess.