User Interface Changes for Network Packet Broker
Focus
Focus

User Interface Changes for Network Packet Broker

Table of Contents

User Interface Changes for Network Packet Broker

Network Packet Broker replaces the Decryption Broker feature introduced in PAN-OS 8.1 and expands its capabilities to include forwarding non-decrypted TLS and non-TLS traffic as well as decrypted TLS traffic to a security chain. To support Network Packet Broker, the PAN-OS 11.0 user interface has the following changes:
  • A new policy (PoliciesNetwork Packet Broker) enables you to configure the specific traffic to forward to the security chain and attach a Packet Broker profile to control how to forward the specified traffic to the security chain.
    Decryption Broker used Decryption policy rules to forward only decrypted TLS traffic to the security chain. The new Network Packet Broker policy rules enable you to select not only decrypted TLS traffic, but also encrypted TLS traffic and non-TLS traffic.
  • A new profile (ObjectsPacket Broker Profile) replaces the old ObjectsDecryptionDecryption Broker Profile and enables you to configure exactly how to forward traffic to the security chain and monitor path and latency health. On the General tab, the names of the fields where you enter the dedicated firewall Network Packet Broker forwarding interface pair changed from “Primary Interface” and “Secondary Interface” to Interface #1 and Interface #2, respectively.
  • When you select PoliciesNetwork Packet Broker, you can then select any of the Rule Usage options in Policy Optimizer to view Network Packet Broker policy usage information. Rule Usage statistics help you evaluate whether you need to keep unused Network Packet Broker rules or if you can delete them and tighten up the rulebase to reduce the attack surface.
  • Because Network Packet Broker replaced Decryption Broker, Decryption policy no longer handles brokering traffic to a security chain. For that reason, on the Options tab, the Decrypt and Forward option is no longer an Action that the policy can take, and the Forwarding Profile field was also removed because now only Decryption profiles are valid on Decryption policies.
  • In NetworkInterfacesEthernet, when you set the Interface Type to Layer 3 and then select the Advanced tab, the name of the checkbox to enable the interface as forwarding interface for Network Packet Broker changed from “Decrypt Forward” to Network Packet Broker.
  • For DeviceAdmin Roles, on the Web UI tab, there are two changes:
    • Under Policies, you can now configure Network Packet Broker admin role permissions.
    • Under Objects, the DecryptionForwarding Profile option is removed and replaced by the Packet Broker Profile option for admin role permissions.
  • On firewalls, for MonitorManage Custom Reports, when you select Traffic Log from the Detailed Logs as the Database, in the Available Columns list, you can now select Forwarded to Security Chain.
    On Panorama, for MonitorManage Custom Reports, when you select Panorama Traffic Log from the Detailed Logs as the Database, in the Available Columns list, you can now select Forwarded to Security Chain.
  • In the Traffic log, the “Decrypt Forward” column is renamed Forwarded to Security Chain. In the detailed view of the Traffic log, in the Flags section, the checkbox “Decrypt Forwarded” is renamed to Forwarded to Security Chain.
  • The free license for the feature is renamed from “Decryption Broker” to Packet Broker. If you have the free Decryption Broker license on your firewall, the name changes automatically when you upgrade to PAN-OS 10.1. The change is only in the name and has no effect on the feature.