Network Packet Broker replaces the Decryption
Broker feature introduced in PAN-OS 8.1 and expands its capabilities
to include forwarding non-decrypted TLS and non-TLS traffic as well
as decrypted TLS traffic to a security chain. To support Network
Packet Broker, the PAN-OS 10.1 user interface has the following
changes:
A new policy (
Policies
Network Packet Broker
) enables
you to configure the specific traffic to forward to the security
chain and attach a Packet Broker profile to control how to forward
the specified traffic to the security chain.
Decryption
Broker used Decryption policy rules to forward only decrypted TLS
traffic to the security chain. The new Network Packet Broker policy
rules enable you to select not only decrypted TLS traffic, but also
encrypted TLS traffic and non-TLS traffic.
A new profile (
Objects
Packet Broker Profile
) replaces
the old
Objects
Decryption
Decryption Broker Profile
and
enables you to configure exactly how to forward traffic to the security
chain and monitor path and latency health. On the
General
tab,
the names of the fields where you enter the dedicated firewall Network
Packet Broker forwarding interface pair changed from “Primary Interface”
and “Secondary Interface” to
Interface #1
and
Interface #2
,
respectively.
When you select
Policies
Network Packet Broker
, you
can then select any of the Rule Usage options in
Policy
Optimizer
to view Network Packet Broker policy usage
information.
Rule Usage
statistics help you
evaluate whether you need to keep unused Network Packet Broker rules
or if you can delete them and tighten up the rulebase to reduce
the attack surface.
Because Network Packet Broker replaced Decryption Broker,
Decryption policy no longer handles brokering traffic to a security
chain. For that reason, on the
Options
tab,
the
Decrypt and Forward
option is no longer
an
Action
that the policy can take, and the
Forwarding
Profile
field was also removed because now only Decryption
profiles are valid on Decryption policies.
In
Network
Interfaces
Ethernet
, when you set the
Interface
Type
to Layer 3 and then select the
Advanced
tab,
the name of the checkbox to enable the interface as forwarding interface
for Network Packet Broker changed from “Decrypt Forward” to
Network
Packet Broker
.
For
Device
Admin
Roles
, on the
Web UI
tab,
there are two changes:
Under
Policies
,
you can now configure
Network Packet Broker
admin
role permissions.
Under
Objects
, the
Decryption
Forwarding Profile
option
is removed and replaced by the
Packet Broker Profile
option
for admin role permissions.
On firewalls, for
Monitor
Manage Custom Reports
, when
you select
Traffic Log
from the Detailed
Logs as the
Database
, in the
Available
Columns
list, you can now select
Forwarded
to Security Chain
.
On Panorama, for
Monitor
Manage Custom Reports
,
when you select
Panorama Traffic Log
from
the Detailed Logs as the
Database
, in the
Available
Columns
list, you can now select
Forwarded
to Security Chain
.
In the Traffic log, the “Decrypt Forward” column is renamed
Forwarded
to Security Chain
. In the detailed view of the Traffic
log, in the
Flags
section, the checkbox “Decrypt
Forwarded” is renamed to
Forwarded to Security Chain
.
The free license for the feature is renamed from “Decryption
Broker” to
Packet Broker
. If you have the
free Decryption Broker license on your firewall, the name changes
automatically when you upgrade to PAN-OS 10.1. The change is only
in the name and has no effect on the feature.