By default, the firewall will mirror all decrypted traffic
to the interface before security policies lookup, which allows you to
replay events and analyze traffic that generates a threat or triggers
a drop action. If you want to only mirror decrypted traffic after security
policy enforcement, select the
Forwarded Only
check
box. With this option, only traffic that is forwarded through the
firewall is mirrored. This option is useful if you are forwarding
the decrypted traffic to other threat detection devices, such as
a DLP device or another intrusion prevention system (IPS).