Network Packet Broker replaces the Decryption
Broker feature introduced in PAN-OS 8.1 and expands its capabilities
to include forwarding non-decrypted TLS and non-TLS traffic as well
as decrypted TLS traffic to a security chain. To support Network
Packet Broker, the PAN-OS 11.0 user interface has the following
changes:
A new policy () enables
you to configure the specific traffic to forward to the security
chain and attach a Packet Broker profile to control how to forward
the specified traffic to the security chain.
Decryption
Broker used Decryption policy rules to forward only decrypted TLS
traffic to the security chain. The new Network Packet Broker policy
rules enable you to select not only decrypted TLS traffic, but also
encrypted TLS traffic and non-TLS traffic.
A new profile () replaces
the old and
enables you to configure exactly how to forward traffic to the security
chain and monitor path and latency health. On the General tab,
the names of the fields where you enter the dedicated firewall Network
Packet Broker forwarding interface pair changed from “Primary Interface”
and “Secondary Interface” to Interface #1 and Interface #2,
respectively.
When you select , you
can then select any of the
Rule Usage options in
Policy
Optimizer to view Network Packet Broker policy usage
information.
Rule Usage statistics help you
evaluate whether you need to keep unused Network Packet Broker rules
or if you can delete them and tighten up the rulebase to reduce
the attack surface.
Because Network Packet Broker replaced Decryption Broker,
Decryption policy no longer handles brokering traffic to a security
chain. For that reason, on the Options tab,
the Decrypt and Forward option is no longer
an Action that the policy can take, and the Forwarding
Profile field was also removed because now only Decryption
profiles are valid on Decryption policies.
In , when you set the Interface
Type to Layer 3 and then select the Advanced tab,
the name of the checkbox to enable the interface as forwarding interface
for Network Packet Broker changed from “Decrypt Forward” to Network
Packet Broker.
For , on the Web UI tab,
there are two changes:
Under Policies,
you can now configure Network Packet Broker admin
role permissions.
Under Objects, the option
is removed and replaced by the Packet Broker Profile option
for admin role permissions.
On firewalls, for , when
you select Traffic Log from the Detailed
Logs as the Database, in the Available
Columns list, you can now select Forwarded
to Security Chain.
On Panorama, for ,
when you select Panorama Traffic Log from
the Detailed Logs as the Database, in the Available
Columns list, you can now select Forwarded
to Security Chain.
In the Traffic log, the “Decrypt Forward” column is renamed Forwarded
to Security Chain. In the detailed view of the Traffic
log, in the Flags section, the checkbox “Decrypt
Forwarded” is renamed to Forwarded to Security Chain.
The free license for the feature is renamed from “Decryption
Broker” to Packet Broker. If you have the
free Decryption Broker license on your firewall, the name changes
automatically when you upgrade to PAN-OS 10.1. The change is only
in the name and has no effect on the feature.