Traffic Replication in

Prisma Access

(

Panorama

)

Onboard and configure Mobile Users—GlobalProtect (if configuring traffic replication for mobile users), Remote Networks (if configuring traffic replication for remote networks), or both (if you are configuring traffic replication for both mobile users and remote networks).
(
Optional
) Apply SSL decryption on the packet captures.
Go to
Panorama
Cloud Services
Configuration
Traffic Replication
and click the gear to edit the
Settings
.
Select
Allow packet captures after applying decryption rules
to apply your already-configured SSL decryption policies on the PCAP files.
If you select this option, the PCAP files will use the same decryption rules that you have specified in your deployment. If you deselect this option, no decryption will be performed on the PCAP files, regardless of the decryption rules you have configured.
Select the
Traffic Replication Encryption Certificate
(public key) you created in an earlier step in the
Mobile_User_Template
(for mobile user deployments) or
Remote_Network_Template
(for remote network deployments)
to use for SSL decryption.
This step is required. You can select any certificate you have added in the
Device
Certificate Management
Certificates
Device Certificates
area in the
Mobile_User_Template
or
Remote_Network_Template
. If you enable traffic replication for both mobile users and remote networks, put the certificate in both the
Mobile_User_Template
and
Remote_Network_Template
.
.
The certificate consists of a public and private key. Upload the public key in
Prisma Access
; you keep the private key and use it for decryption when you download the zipped PCAP files from the storage bucket. In this way, you guarantee that only your organization can access the storage bucket where the PCAP files are stored.
Configure traffic replication for one or more Mobile Users—GlobalProtect locations, remote network locations, or both by selecting the location in the
Configuration
area and selecting the locations where you want to enable traffic replication, then selecting
MU-GP
,
RN
, or both.
Select the
Compute Location
that is associated with
Prisma Access
Locations
. Traffic replication is enabled for all Mobile Users—GlobalProtect clients, remote network users, or both, that are connected to the selected locations.
Add an account that lets you access traffic replication packet capture (PCAP) data.
This service account is used to share read-only access to the storage buckets where the PCAP files are stored in the locations where you have enabled traffic replication. You create these service accounts in your GCP account using normal GCP service account creation procedures. It is your responsibility to control what users have access to these service accounts. Any users who have both access to the PCAP files and access to the private key would have access to the PCAP files.
In the

Traffic Replication Access

area,

Add

an account.

Enter the following parameters:

Give the account a unique
Account Name
.
Specify
Gcp
as the
Type
for the account.
Traffic replication is supported only for GCP accounts.
Specify the
Account
information from the GCP service account you created.
Enter a
Member/User
name for the GCP service account.
Commit and push your changes, making sure that
Mobile Users
(for a mobile user deployment),
Remote Networks
(for a remote networks deployment), or both
are selected in the
Push Scope
.
Click
Commit
Commit and Push
.
Edit Selections
and, in the
Prisma Access
tab, make sure that
Mobile Users
and
Remote Networks
are
selected in the
Push Scope
, then click
OK
.
The
Push Scope
might not be automatically selected.
Click
Commit and Push
.
Check the status of traffic replication by going to
Panorama
Cloud Services
Status
Traffic Replication
.
The
Storage Links
is the name of the GCP storage bucket where you can access the PCAP files, The
Cloud Provider Location
is the location where the GCP instance is onboarded.
Download the PCAP files using the private key that only you possess.
Use the
Storage Links
to access the PCAP files in your GCP storage buckets.
These storage buckets support the same regular operations, commands, and queries as any other GCP storage buckets.
You can download PCAP data for up to 72 hours. After 72 hours, the files are permanently deleted.
Files are encrypted using your public key.
Maximum file size is 200 MB or 5 minutes of packet capture, whichever is smaller.
List the files in your service by entering enter
gsutil ls gs://
<storage_bucket_link>
/
, where
<storage_bucket_link>
is the storage link in your GCP service account where the files are stored.
Download the files from your service account by entering the enter
gsutil cp gs://
<storage_bucket_link>
/
<file_name>
<destination folder>
, where:
<storage_bucket_link>
is the storage link in your GCP service account where the files are stored.
<file_name>
is the name of the PCAP file.
<destination folder>
is the folder where you want the PCAP file to be downloaded.
Unzip the downloaded files.
Decrypt the downloaded files using the private key that only you possess.