1. Home
    2. PAN-OS
    3. PAN-OS® Networking Administrator’s Guide
    4. Network Packet Broker
    5. Prepare to Deploy Network Packet Broker

    Prepare to Deploy Network Packet Broker

    Take the following actions to prepare to deploy Network Packet Broker:
    1. Obtain and activate the free Network Packet Broker license.
      2. Select
        Assets
        Devices
         on the left-hand navigation pane.
      3. Find the device on which you want to enable decryption broker or decryption port mirroring and select
        Actions
         (the pencil icon).
      4. Under Activate Licenses, select
        Activate Feature License
      5. Select the
        Network Packet Broker
         free license.
      6. Click
        Agree and Submit
        .
    2. Install the license on the firewall.
      1. Select
        Device
        Licenses
        .
      2. Click
        Retrieve license keys from the license server
        .
      3. Verify that the
        Device
        Licenses
         page shows that the
        Network Packet Broker
         license is now active on the firewall.
      4. Restart the firewall (
        Device
        Setup
        Operations
        ). Network Packet Broker is not available for configuration until the firewall restarts.
        You can push the Network Packet Broker license from Panorama to managed firewalls. You must reboot the firewalls to make the license take effect and update the user interface.
    3. Enable the App-ID cache for Network Packet Broker.
      1. The App-ID cache is disabled by default. Enable it using the configuration mode CLI command: 
        admin@PA-3260# set deviceconfig setting application cache yes
      2. Enable the firewall to use the App-ID cache to identify applications: 
        admin@PA-3260# set deviceconfig setting application use-cache-for-identification yes
      Verify the settings show that
      Application cache
       is set to
      yes
       and
      Use cache for appid
       is set to
      yes
      : 
      admin@PA-3260> show running application setting
Application setting:
Application cache             : yes
Supernode                     : yes
Heuristics                    : yes
Cache Threshold               : 1
Bypass when exceeds queue limit: no
Traceroute appid              : yes
Traceroute TTL threshold      : 30
Use cache for appid           : yes
Use simple appsigs for ident  : yes
Use AppID cache on SSL/SNI    : no
Unknown capture               : on
Max. unknown sessions         : 5000
Current unknown sessions      : 33
Application capture           : off
      Current APPID Signature
   Memory Usage               : 16768  KB (Actual 16461  KB)
      TCP 1 C2S               : regex 11898  states
      TCP 1 S2C               : regex 4549   states
      UDP 1 C2S               : regex 4263   states
      UDP 1 S2C               : regex 1605   states
    4. Enable the firewall to
      Allow forwarding of decrypted content
       (
      Device
      Setup
      Content-ID
      ).
    5. Identify the traffic that you want to forward to one or multiple security chains.
    6. Identify the topology for each security chain and determine whether to use layer 1 Transparent Bridge forwarding or routed layer 3 forwarding, which determines what type of security chain you configure on the firewall. Considerations include:
      • Whether you want to load-balance traffic across multiple chains (use a routed layer 3 security chain to distribute sessions across multiple chains through a router, switch, or other routing device), use a single chain, or use different security chains for different types of traffic. For multiple layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each security chain because the layer 1 connection is not routed.
      • Whether to use unidirectional or bidirectional traffic flow through the security chain.
    7. Decide which pairs of firewall interfaces to use as dedicated Network Packet Broker forwarding interfaces.
      • For layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each layer 1 security chain. You can configure policy rules to send specific traffic to different security chains.
      • For routed layer 3 chains, one dedicated pair of firewall interfaces can load balance traffic among multiple layer 3 security chains through a switch, router, or other routing-capable device.
      • For routed layer 3 chains, you can use multiple pairs of dedicated firewall interfaces to send specific traffic to different security chains using different policy rules.
      Security policy must allow traffic between each paired set of Network Packet Broker interfaces. The
      intrazone-default
       Security policy rule allows traffic within the same zone by default. However, if you have a “deny all” policy rule earlier in the policy rulebase, then you must create an explicit allow rule to allow the Network Packet Broker traffic.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo