Prepare to Deploy Network Packet Broker

Take the following actions to prepare to deploy Network Packet Broker:
  1. Obtain and activate the free Network Packet Broker license.
    1. Select
      on the left-hand navigation pane.
    2. Find the device on which you want to enable decryption broker or decryption port mirroring and select
      (the pencil icon).
    3. Under Activate Licenses, select
      Activate Feature License
    4. Select the
      Network Packet Broker
      free license.
    5. Click
      Agree and Submit
  2. Install the license on the firewall.
    1. Select
    2. Click
      Retrieve license keys from the license server
    3. Verify that the
      page shows that the
      Network Packet Broker
      license is now active on the firewall.
    4. Restart the firewall (
      ). Network Packet Broker is not available for configuration until the firewall restarts.
      You can push the Network Packet Broker license from Panorama to managed firewalls. You must reboot the firewalls to make the license take effect and update the user interface.
  3. Enable the App-ID cache for Network Packet Broker.
    1. The App-ID cache is disabled by default. Enable it using the configuration mode CLI command:
      admin@PA-3260# set deviceconfig setting application cache yes
    2. Enable the firewall to use the App-ID cache to identify applications:
      admin@PA-3260# set deviceconfig setting application use-cache-for-identification yes
    Verify the settings show that
    Application cache
    is set to
    Use cache for appid
    is set to
    admin@PA-3260> show running application setting Application setting: Application cache : yes Supernode : yes Heuristics : yes Cache Threshold : 1 Bypass when exceeds queue limit: no Traceroute appid : yes Traceroute TTL threshold : 30 Use cache for appid : yes Use simple appsigs for ident : yes Use AppID cache on SSL/SNI : no Unknown capture : on Max. unknown sessions : 5000 Current unknown sessions : 33 Application capture : off
    Current APPID Signature Memory Usage : 16768 KB (Actual 16461 KB) TCP 1 C2S : regex 11898 states TCP 1 S2C : regex 4549 states UDP 1 C2S : regex 4263 states UDP 1 S2C : regex 1605 states
  4. Enable the firewall to
    Allow forwarding of decrypted content
  5. Identify the traffic that you want to forward to one or multiple security chains.
  6. Identify the topology for each security chain and determine whether to use layer 1 Transparent Bridge forwarding or routed layer 3 forwarding, which determines what type of security chain you configure on the firewall. Considerations include:
    • Whether you want to load-balance traffic across multiple chains (use a routed layer 3 security chain to distribute sessions across multiple chains through a router, switch, or other routing device), use a single chain, or use different security chains for different types of traffic. For multiple layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each security chain because the layer 1 connection is not routed.
    • Whether to use unidirectional or bidirectional traffic flow through the security chain.
  7. Decide which pairs of firewall interfaces to use as dedicated Network Packet Broker forwarding interfaces.
    • For layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each layer 1 security chain. You can configure policy rules to send specific traffic to different security chains.
    • For routed layer 3 chains, one dedicated pair of firewall interfaces can load balance traffic among multiple layer 3 security chains through a switch, router, or other routing-capable device.
    • For routed layer 3 chains, you can use multiple pairs of dedicated firewall interfaces to send specific traffic to different security chains using different policy rules.
    Security policy must allow traffic between each paired set of Network Packet Broker interfaces. The
    Security policy rule allows traffic within the same zone by default. However, if you have a “deny all” policy rule earlier in the policy rulebase, then you must create an explicit allow rule to allow the Network Packet Broker traffic.

Recommended For You