Policy Object: Packet Broker Profile
Focus
Focus
Network Security

Policy Object: Packet Broker Profile

Table of Contents

Policy Object: Packet Broker Profile

Where Can I Use This?What Do I Need?
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Managed by Panorama)
Check for any license or role requirements for the products you're using.
The Packet Broker profile defines how the traffic is forwarded to a security chain, which is a set of inline, third-party security appliances that provides additional security inspection and enforcement. The profile defines the interfaces used to connect to the security chain, the type of security chain (Routed Layer 3 or Layer 1 Transparent Bridge), the first and last appliances in a Layer 3 security chain, session distribution (load balancing) among multiple Layer 3 chains, and health monitoring and actions to take upon a path or HTTP latency failure. You attach a Packet Broker profile to a Packet Broker security rule. The security rule defines the traffic to forward to the security chain and the profile defines how to forward that traffic.
Before you can configure a Packet Broker profile, you must dedicate at least two Layer 3 interfaces to forward traffic to the security chain.
Packet Broker Profile Settings
Description
Name
Give the profile a descriptive name.
Description
Optionally describe the profile settings or purpose.
General Tab
Security Chain Type
Select the type of security chain to which the decrypted traffic is forwarded:
  • Routed (Layer 3): The devices in this type of security chain use Layer 3 interfaces to connect to the security-chain network. Each interface must have an assigned IP address and subnet mask. You configure security-chain devices with static routes or use dynamic routing to direct inbound and outbound traffic to the next device in the security chain and back.
  • Transparent Bridge: In a transparent-bridge security-chain network, all security-chain devices have two Transparent Bridge mode interfaces connected to the security-chain network. Transparent Bridge interfaces do not have IP addresses, subnet masks, default gateways, or local routing tables. Security-chain appliances receive traffic on one interface, analyze the traffic and enforce security, and then the traffic egresses the other interface to the next security-chain device.
Enable IPv6
(Transparent Bridge mode only) Enable IPv6 traffic forwarding.
Flow Direction
Select whether traffic enters the security chain from one interface and exits the security to the other interface, or if traffic can enter and exit the security chain from both interfaces.
  • Unidirectional—All traffic to the security chain is forwarded through Interface #1 and receives the traffic back from the security chain on Interface #2.
    Both interfaces must be in the same zone.
  • Bidirectional —The client-to-server traffic to the security chain is forwarded through Interface #1 and receives the traffic back from the security chain on Interface #2.
    The server-to-client traffic is forwarded to the security chain through Interface #2 and receives the traffic back from the security chain on Interface #1.
The flow direction you select depends on the type of appliances in the security chain. For example, if a security chain has stateless devices that can examine both sides of a session, you could choose a unidirectional flow.
Interface #1
The Network Packet Broker interfaces that is used to forward traffic to and receive traffic from a security chain. You must configure each interface as a Network Packet Broker interface, as described at the beginning of this help topic.
Interface #2
Security Chains Tab
Configure one or multiple (for load balancing or redundancy) Layer 3 security chains on one pair of Network Packet Broker interfaces. For the Routed (Layer 3) security chain type, you must configure at least one security chain to specify where to forward traffic. For multiple security chains, a switch or other device must handle the routing between the firewall and the chains.
The options on this tab are only available for Layer 3 (routed) security chains.
Enable
Enable the security chain.
Name
Give the security chain a descriptive name.
First Device
Enter the IPv4 address of the first and last devices in the security chain or define a new Address Object to easily reference the device.
Last Device
Session Distribution Method
When forwarding to multiple Routed (Layer 3) security chains, choose the method that is used to distribute sessions among multiple security chains:
  • IP Modulo—The sessions are assigned based on the IP modulo hash of the source and destination IP addresses.
  • IP Hash—The sessions are assigned based on the IP hash of the source and destination IP addresses and port numbers.
  • Round Robin—The sessions are allocated evenly among security chains.
  • Lowest Latency—More sessions are allocated to the security chain with the lowest latency. For this method to work as expected, you must also enable Latency Monitoring and HTTP Monitoring on the Health Monitor tab.
Health Monitor Tab
On Health Check Failure
When you enable health checks (Path Monitoring, HTTP Monitoring, or HTTP Monitoring Latency), you also decide what happens if a chain (or all chains if there are multiple chains) fails. If there are multiple chains and one or more chains fail a health check but at least one chain is still healthy, the traffic is distributed to the remaining chains based on the Session Distribution Method. If all of the chains associated with a pair of Network Packet Broker interfaces, you can:
  • Bypass Security Chain—The traffic is forwarded to its destination instead of to the failed chain(s). The configured security profiles and protections to the traffic are still applied.
  • Block Session—The session are blocked.
Health Check Failed Condition
If you configure more than one health check (you can configure all three health checks on a chain), configure how a failure is defined:
  • OR Condition—If any selected health check fails, the On Health Check Failure action occurs.
  • AND Condition—If all of the selected health checks fail, the On Health Check Failure action occurs.
Path Monitoring
Enable path, HTTP latency, or HTTP monitoring, or a combination of the three health checks to identify when security chains experience a failure, and configure the metrics that determine when a failure has occurred:
  • Path Monitoring—Checks device connectivity; set the ping count, ping interval in seconds, and recovery hold time in seconds.
  • HTTP Monitoring—Checks device availability and response time; set the HTTP count and HTTP interval in seconds.
  • HTTP Monitoring Latency—Checks device processing speed and efficiency; set the maximum latency in milliseconds, the latency duration in seconds, and log latency that exceeds the duration. When you select HTTP Monitoring Latency, HTTP Monitoring is automatically selected. Both must be selected to enable latency monitoring.
Latency Monitoring
HTTP Monitoring