>
    Strata Copilot
    Configure Decryption Port Mirroring
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    4. Monitor Decryption
    5. Configure Decryption Port Mirroring
    Download PDF
    Network Security

    Configure Decryption Port Mirroring

    Table of Contents

    Configure Decryption Port Mirroring

    Where permitted by law, you can decrypt traffic and send unencrypted traffic to a device that can archive and analyze the traffic.
    Where Can I Use This?What Do I Need?
    Before you configure Decryption Port Mirroring, you must obtain a Decryption Port Mirroring license for each Next-Generation Firewall (NGFW) that will forward decrypted traffic. The license is free of charge and does not expire. Install each license on its respective NGFW, and then complete the configuration steps for your management platform.
    Important Considerations
    We recommend consulting corporate counsel before enabling this feature in a production environment. Note the following:
    • Certain countries regulate how you decrypt, inspect, store, or otherwise use SSL/TLS traffic. User consent might be required to mirror traffic.
    • Malicious users with administrative access to the NGFW could potentially harvest sensitive information (such as usernames, passwords, social security numbers, and credit card numbers) submitted through encrypted channels.
    Request a Decryption Port Mirroring license.
    1. Log in to the Customer Support Portal.
    2. Select ProductsAssets, and then locate the NGFW you want to license.
    3. In the Actions column for that NGFW, select Licenses & Subscriptions.
    4. On the Licenses & Subscriptions page, select Activate License.
    5. For Activation Types, select Activate Feature License.
    6. For Activate Feature License, select Decryption Port Mirror.
    7. Review the legal notice, and then click Agree and Submit.
      The license is now active and displays in the Cloud Delivered Security Services list.
    8. (Optional) Repeat these steps for additional NGFWs.
    Install the license on an NGFW.
    1. Log in to the web interface.
    2. Select DeviceLicenses.
    3. In the License Management section, click Retrieve license keys from license server.
    4. Reboot the NGFW.
      1. Select DeviceSetupOperations.
      2. In the Device Operations section, click Reboot Device.
      3. Click Yes to confirm.
    Verify that the license is active on the NGFW.
    • On the NGFW web interface:
      1. Select DeviceLicenses.
      2. In the License Management section, locate the Decryption Port Mirror box, and then verify the Active field displays Yes.
    • On Strata Cloud Manager:
      1. Select System SettingsDevice ManagementCloud Managed Devices.
      2. In the Actions column for the NGFW, select Fetch Licenses Info.
      3. Verify that the License Installed On Device list includes Decryption Port Mirror and that the License Status is OK.

    Configure Decryption Port Mirroring (Strata Cloud Manager)

    1. Log in to Strata Cloud Manager.
    2. Configure an Ethernet interface for decryption mirroring.
      1. Select ConfigurationNGFW and Prisma AccessDeviceInterfacesEthernet.
      2. Select a Configuration Scope.
        Select an NGFW or an entire folder (for example, All Firewalls) from your Folders or a snippet from your Snippets to target your configuration.
      3. Select an Ethernet interface or click Add InterfaceInterface.
        If you configure an interface in the folder or snippet scope, Strata Cloud Manager pushes the configuration only to NGFWs that have the corresponding interface slot available. For example, if you configure Ethernet 1/5 in the folder scope and the NGFW associated with the folder has only four interface slots, the push to the NGFW fails.
      4. (New Interface only) Enter a descriptive Interface Name, such as all-ngfw-decrypt-mirror.
      5. Select a Default Interface Assignment.
      6. For Interface Type, select Decrypt Mirror.
      7. Leave the Link Settings set to auto.
      8. Save the interface.
    3. Enable forwarding of decrypted traffic.
      Superuser permissions are required.
      For an NGFW with a single virtual system:
      Strata Cloud Manager does not support decryption mirroring for NGFWs with multiple virtual systems.
      1. Select ConfigurationNGFW and Prisma AccessDeviceDevice SetupContent-ID.
      2. Customize the Content-ID Settings, and then select Allow forwarding of decrypted content.
      3. Save the settings.
    4. Enable mirroring of decrypted traffic.
      1. Select ConfigurationSecurity ServicesDecryption.
      2. Select a Decryption Profile or click Add Profile to create a new one.
        Only reuse a profile if you want traffic defined in the decryption policy rules associated with that profile to be mirrored. If you plan to configure a new decryption policy rule, create a new decryption profile.
      3. In the Decryption Mirroring section, select an Interface.
        Selecting an interface that is already in use causes commits to fail.
      4. Specify whether to mirror decrypted traffic before or after policy enforcement.
        • By default, Forwarded Only is not selected. The NGFW mirrors all decrypted traffic to the interface before the Security policy rule lookup. This allows you to replay events and analyze traffic that generates a threat or triggers a drop.
        • To mirror decrypted traffic only after Security policy enforcement, select Forwarded Only. The NGFW only mirrors allowed traffic. Use this option if you're forwarding traffic to threat detection devices, such as a data loss prevention (DLP) device or an intrusion prevention system (IPS).
      5. Save the profile.
    5. Apply the decryption profile to a decryption policy rule.
      This rule defines the traffic that the NGFW mirrors.
      1. Select ConfigurationSecurity ServicesDecryption.
      2. In the Decryption Policies section, select an existing decryption policy rule or click Add Rule to create a new rule.
        Make sure the Action is set to Decrypt.
      3. In the Action and Advanced Inspection tab, set Decryption Profile to the profile you configured earlier.
      4. Save the rule.
    6. Push your configuration changes.
      Select Push ConfigPush.
    7. Verify the settings applied to your NGFWs.
      For example, if your Configuration Scope is set to All Firewalls, switch to the scope for a specific NGFW to verify that the configured settings were inherited correctly. Alternatively, log in to an individual NGFW web interface to view these settings locally.

    Configure Decryption Port Mirroring (PAN-OS & Panorama)

    1. Log in to the NGFW web interface.
    2. Forward decrypted traffic.
      Superuser permission is required to perform this step.
      On an NGFW with a single virtual system:
      1. Select DeviceSetupContent-ID.
      2. Enable Allow forwarding of decrypted content.
      3. Click OK.
      On an NGFW with multiple virtual systems:
      1. Select DeviceVirtual Systems.
      2. Select a Virtual System, or Add a new one.
      3. Enable Allow forwarding of decrypted content.
      4. Click OK.
    3. Enable an Ethernet interface for decryption mirroring.
      1. Select NetworkInterfacesEthernet.
      2. Select an interface. A dialog with various settings appears.
      3. For Interface Type, select Decrypt Mirror.
        This interface type appears only if you have installed the Decryption Port Mirroring license.
      4. Click OK.
    4. Enable mirroring of decrypted traffic.
      1. Select ObjectsDecryption Profile, and then select a profile or Add a new one.
      2. In the Decryption Mirroring section, select an Interface.
        The drop-down list contains only Ethernet interfaces of the Decrypt Mirror type.
      3. Specify whether to mirror traffic before or after policy enforcement.
        • By default, Forwarded Only is clear. The NGFW mirrors all decrypted traffic to the interface before the Security policy rule lookup. This allows you to replay events and analyze traffic that generates a threat or triggers a drop.
        • To mirror decrypted traffic only after Security policy enforcement, select Forwarded Only. The NGFW only mirrors allowed traffic. Use this option if you're forwarding traffic to threat detection devices, such as a data loss prevention (DLP) device or an intrusion prevention system (IPS).
      4. Click OK.
    5. Attach the decryption profile to a decryption policy rule.
      The NGFW mirrors traffic that matches this rule.
      1. Select PoliciesDecryption.
      2. Select an existing decryption policy rule, or Add a new rule.
      3. In the Options tab, set the Action to Decrypt.
      4. For Decryption Profile, select the profile you modified (or created) earlier.
      5. Click OK.
    6. Commit your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.