Network Packet Broker filters and forwards network traffic
to an external security chain of one or more third-party security
appliances. Network Packet Broker replaces the Decryption Broker
feature introduced in PAN-OS 8.1 and expands its capabilities to
include forwarding non-decrypted TLS traffic and non-TLS traffic
(cleartext) as well as decrypted TLS traffic. The ability to handle
all types of traffic is especially valuable in very high security
environments such as financial and government institutions.
Network Packet Broker is supported for PA-7000 Series, PA-5400
Series, PA-5200 Series, PA-3200 Series devices and VM-300 and VM-700
models. It requires SSL Forward Proxy decryption to be enabled,
where the firewall is established as a trusted third party (or man-in-the-middle)
to session traffic.
A firewall interface cannot be both a decryption broker
and a GRE tunnel endpoint.