Prepare to Deploy Network Packet Broker

Obtain and activate the free Network Packet Broker license.
Log in to the Customer Support Portal.
Select
Assets
Devices
on the left-hand navigation pane.
Find the device on which you want to enable decryption broker or decryption port mirroring and select
Actions
(the pencil icon).
Under Activate Licenses, select
Activate Feature License
Select the
Network Packet Broker
free license.
Click
Agree and Submit
.
Install the license on the firewall.
Select
Device
Licenses
.
Click
Retrieve license keys from the license server
.
Verify that the
Device
Licenses
page shows that the
Network Packet Broker
license is now active on the firewall.
Restart the firewall (
Device
Setup
Operations
). Network Packet Broker is not available for configuration until the firewall restarts.
You can push the Network Packet Broker license from Panorama to managed firewalls. You must reboot the firewalls to make the license take effect and update the user interface.
Enable the App-ID cache for Network Packet Broker.
The App-ID cache is disabled by default. Enable it using the configuration mode CLI command:

admin@PA-3260# set deviceconfig setting application cache yes

Enable the firewall to use the App-ID cache to identify applications:

admin@PA-3260# set deviceconfig setting application use-cache-for-identification yes
Verify the settings show that
Application cache
is set to
yes
and
Use cache for appid
is set to
yes
:
admin@PA-3260> show running application setting
Application setting:
Application cache             : yes
Supernode                     : yes
Heuristics                    : yes
Cache Threshold               : 1
Bypass when exceeds queue limit: no
Traceroute appid              : yes
Traceroute TTL threshold      : 30
Use cache for appid           : yes
Use simple appsigs for ident  : yes
Use AppID cache on SSL/SNI    : no
Unknown capture               : on
Max. unknown sessions         : 5000
Current unknown sessions      : 33
Application capture           : off
Current APPID Signature
   Memory Usage               : 16768  KB (Actual 16461  KB)
      TCP 1 C2S               : regex 11898  states
      TCP 1 S2C               : regex 4549   states
      UDP 1 C2S               : regex 4263   states
      UDP 1 S2C               : regex 1605   states
Enable the firewall to
Allow forwarding of decrypted content
(
Device
Setup
Content-ID
).
Identify the traffic that you want to forward to one or multiple security chains.
Identify the topology for each security chain and determine whether to use layer 1 Transparent Bridge forwarding or routed layer 3 forwarding, which determines what type of security chain you configure on the firewall. Considerations include:
Whether you want to load-balance traffic across multiple chains (use a routed layer 3 security chain to distribute sessions across multiple chains through a router, switch, or other routing device), use a single chain, or use different security chains for different types of traffic. For multiple layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each security chain because the layer 1 connection is not routed.
Whether to use unidirectional or bidirectional traffic flow through the security chain.
Decide which pairs of firewall interfaces to use as dedicated Network Packet Broker forwarding interfaces.
For layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each layer 1 security chain. You can configure policy rules to send specific traffic to different security chains.
For routed layer 3 chains, one dedicated pair of firewall interfaces can load balance traffic among multiple layer 3 security chains through a switch, router, or other routing-capable device.
For routed layer 3 chains, you can use multiple pairs of dedicated firewall interfaces to send specific traffic to different security chains using different policy rules.
Security policy must allow traffic between each paired set of Network Packet Broker interfaces. The
intrazone-default
Security policy rule allows traffic within the same zone by default. However, if you have a “deny all” policy rule earlier in the policy rulebase, then you must create an explicit allow rule to allow the Network Packet Broker traffic.