Prepare to Deploy Network Packet Broker
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Prepare to Deploy Network Packet Broker
Take the following actions to prepare
to deploy Network Packet Broker:
- Obtain and activate the free Network Packet Broker license.
- Log in to the Customer Support Portal.
- Selecton the left-hand navigation pane.AssetsDevices
- Find the device on which you want to enable decryption broker or decryption port mirroring and selectActions(the pencil icon).
- Under Activate Licenses, selectActivate Feature License
- Select theNetwork Packet Brokerfree license.
- ClickAgree and Submit.
- Install the license on the firewall.
- Select.DeviceLicenses
- ClickRetrieve license keys from the license server.
- Verify that thepage shows that theDeviceLicensesNetwork Packet Brokerlicense is now active on the firewall.
- Restart the firewall (). Network Packet Broker is not available for configuration until the firewall restarts.DeviceSetupOperationsYou can push the Network Packet Broker license from Panorama to managed firewalls. You must reboot the firewalls to make the license take effect and update the user interface.
- Enable the App-ID cache for Network Packet Broker.
- The App-ID cache is disabled by default. Enable it using the configuration mode CLI command:admin@PA-3260# set deviceconfig setting application cache yes
- Enable the firewall to use the App-ID cache to identify applications:admin@PA-3260# set deviceconfig setting application use-cache-for-identification yes
Verify the settings show thatApplication cacheis set toyesandUse cache for appidis set toyes:admin@PA-3260> show running application setting Application setting: Application cache : yes Supernode : yes Heuristics : yes Cache Threshold : 1 Bypass when exceeds queue limit: no Traceroute appid : yes Traceroute TTL threshold : 30 Use cache for appid : yes Use simple appsigs for ident : yes Use AppID cache on SSL/SNI : no Unknown capture : on Max. unknown sessions : 5000 Current unknown sessions : 33 Application capture : offCurrent APPID Signature Memory Usage : 16768 KB (Actual 16461 KB) TCP 1 C2S : regex 11898 states TCP 1 S2C : regex 4549 states UDP 1 C2S : regex 4263 states UDP 1 S2C : regex 1605 states - Enable the firewall toAllow forwarding of decrypted content().DeviceSetupContent-ID
- Identify the traffic that you want to forward to one or multiple security chains.
- Identify the topology for each security chain and determine whether to use layer 1 Transparent Bridge forwarding or routed layer 3 forwarding, which determines what type of security chain you configure on the firewall. Considerations include:
- Whether you want to load-balance traffic across multiple chains (use a routed layer 3 security chain to distribute sessions across multiple chains through a router, switch, or other routing device), use a single chain, or use different security chains for different types of traffic. For multiple layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each security chain because the layer 1 connection is not routed.
- Whether to use unidirectional or bidirectional traffic flow through the security chain.
- Decide which pairs of firewall interfaces to use as dedicated Network Packet Broker forwarding interfaces.
- For layer 1 Transparent Bridge chains, you need a pair of dedicated firewall interfaces for each layer 1 security chain. You can configure policy rules to send specific traffic to different security chains.
- For routed layer 3 chains, one dedicated pair of firewall interfaces can load balance traffic among multiple layer 3 security chains through a switch, router, or other routing-capable device.
- For routed layer 3 chains, you can use multiple pairs of dedicated firewall interfaces to send specific traffic to different security chains using different policy rules.
Security policy must allow traffic between each paired set of Network Packet Broker interfaces. Theintrazone-defaultSecurity policy rule allows traffic within the same zone by default. However, if you have a “deny all” policy rule earlier in the policy rulebase, then you must create an explicit allow rule to allow the Network Packet Broker traffic.