User Interface Changes for Network Packet Broker
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
User Interface Changes for Network Packet Broker
Network Packet Broker replaces the Decryption
Broker feature introduced in PAN-OS 8.1 and expands its capabilities
to include forwarding non-decrypted TLS and non-TLS traffic as well
as decrypted TLS traffic to a security chain. To support Network
Packet Broker, the PAN-OS 10.2 user interface has the following
changes:
- A new policy () enables you to configure the specific traffic to forward to the security chain and attach a Packet Broker profile to control how to forward the specified traffic to the security chain.PoliciesNetwork Packet BrokerDecryption Broker used Decryption policy rules to forward only decrypted TLS traffic to the security chain. The new Network Packet Broker policy rules enable you to select not only decrypted TLS traffic, but also encrypted TLS traffic and non-TLS traffic.
- A new profile () replaces the oldObjectsPacket Broker Profileand enables you to configure exactly how to forward traffic to the security chain and monitor path and latency health. On theObjectsDecryptionDecryption Broker ProfileGeneraltab, the names of the fields where you enter the dedicated firewall Network Packet Broker forwarding interface pair changed from “Primary Interface” and “Secondary Interface” toInterface #1andInterface #2, respectively.
- When you select, you can then select any of the Rule Usage options inPoliciesNetwork Packet BrokerPolicy Optimizerto view Network Packet Broker policy usage information.Rule Usagestatistics help you evaluate whether you need to keep unused Network Packet Broker rules or if you can delete them and tighten up the rulebase to reduce the attack surface.
- Because Network Packet Broker replaced Decryption Broker, Decryption policy no longer handles brokering traffic to a security chain. For that reason, on theOptionstab, theDecrypt and Forwardoption is no longer anActionthat the policy can take, and theForwarding Profilefield was also removed because now only Decryption profiles are valid on Decryption policies.
- In, when you set theNetworkInterfacesEthernetInterface Typeto Layer 3 and then select theAdvancedtab, the name of the checkbox to enable the interface as forwarding interface for Network Packet Broker changed from “Decrypt Forward” toNetwork Packet Broker.
- For, on theDeviceAdmin RolesWeb UItab, there are two changes:
- UnderPolicies, you can now configureNetwork Packet Brokeradmin role permissions.
- UnderObjects, theoption is removed and replaced by theDecryptionForwarding ProfilePacket Broker Profileoption for admin role permissions.
- On firewalls, for, when you selectMonitorManage Custom ReportsTraffic Logfrom the Detailed Logs as theDatabase, in theAvailable Columnslist, you can now selectForwarded to Security Chain.On Panorama, for, when you selectMonitorManage Custom ReportsPanorama Traffic Logfrom the Detailed Logs as theDatabase, in theAvailable Columnslist, you can now selectForwarded to Security Chain.
- In the Traffic log, the “Decrypt Forward” column is renamedForwarded to Security Chain. In the detailed view of the Traffic log, in theFlagssection, the checkbox “Decrypt Forwarded” is renamed toForwarded to Security Chain.
- The free license for the feature is renamed from “Decryption Broker” toPacket Broker. If you have the free Decryption Broker license on your firewall, the name changes automatically when you upgrade to PAN-OS 10.1. The change is only in the name and has no effect on the feature.