Network Packet Broker Overview
If you use one or more third-party security
appliances (a security chain) as part of your overall security suite,
you can use Network Packet Broker to filter and forward network
traffic to those security appliances. Network Packet Broker replaces
the Decryption Broker feature introduced in PAN-OS 8.1.
Like Decryption Broker, Network Packet Broker
provides decryption capabilities and security chain management.
This simplifies your network by eliminating complications from supporting
dedicated devices for those functions and reduces capital and operating
costs. Also like Decryption Broker, Network Packet Broker provides health
checks to ensure that the path to the security chain is healthy
and options for handling traffic if a chain goes down.
Network Packet Broker expands the firewall’s security
chain forwarding capabilities so that you can filter and forward
not only decrypted TLS traffic, but also non-decrypted TLS and non-TLS
(cleartext) traffic to one or more security chains based on applications,
users, devices, IP addresses, and zones. These features are especially
valuable in very high security environments such as financial and
government institutions.
Upgrade and downgrade:
Requirements for using Network Packet Broker:
You must install a free Packet Broker license on the
firewall. Without the free license, you can’t access the Packet
Broker policy and profile in the interface.
The firewall must have at least two available layer 3 Ethernet
interfaces to use as a dedicated pair of packet broker forwarding
interfaces.
You can configure multiple pairs of dedicated
Network Packet Broker forwarding interfaces to connect to different
security chains.
For each security chain, the pair of dedicated Network Packet Broker
interfaces must be in the same security zone.
Security
policy must allow traffic between each paired set of Network Packet
Broker interfaces. The intrazone-default Security
policy rule allows traffic within the same zone by default. However,
if you have a “deny all” policy rule earlier in the policy rulebase,
then you must create an explicit allow rule to allow the Network
Packet Broker traffic.
The pair of dedicated interfaces connect to the first and
last devices in a security chain.
Network
Packet Broker supports routed layer 3 security chains and Transparent
Bridge Layer 1 security chains. For routed layer 3 chains, one pair
of packet broker forwarding interfaces can connect to multiple layer
3 security chains using a properly configured switch, router, or
other device to perform the required layer 3 routing between the
firewall and the security chains.
Dedicated Network Packet Broker forwarding interfaces cannot
use dynamic routing protocols.
None of the devices in the security chain can modify the
source or destination IP address, source or destination port, or
protocol of the original session because the firewall would not
be able to match the modified session to the original session and
therefore would drop the traffic.
You must enable the firewall to Allow forwarding
of decrypted content ().
Network Packet Broker supports:
Decrypted TLS, non-decrypted TLS, and non-TLS traffic.
SSL Forward Proxy, SSL Inbound Inspection, and encrypted
SSH traffic.
Routed layer 3 security chains.
Transparent Bridge layer 1 security chains.
You
can configure both routed layer 3 and layer 1 Transparent Bridge
security chains on the same firewall but you must use different pairs
of forwarding interfaces for each type.
Unidirectional traffic flow through the chain: all traffic
to the chain egresses the firewall on one dedicated interface and
returns to the firewall on another dedicated interface, so all traffic
flows in the same direction through the pair of dedicated Network
Packet Broker interfaces.
Both firewall forwarding interfaces
must be in the same zone.
Bidirectional traffic flow through the security chain:
Client-to-server (c2s) traffic egresses the firewall on one dedicated
firewall broker interface and returns to the firewall on another dedicated
firewall broker interface.
Server-to-client (s2c) traffic uses the same two dedicated
firewall broker interfaces as c2s traffic, but the traffic flows
in the opposite direction through the security chain. The firewall
broker interface on which the s2c traffic goes to the chain is the
same interface on which the c2s traffic returns from the chain to
the firewall. The firewall broker interface on which the s2c traffic
returns to the firewall is the same interface on which the c2s traffic
egresses to the chain.
Both firewall forwarding
interfaces must be in the same zone.
Network Packet Broker does not support multicast, broadcast,
or decrypted SSH traffic.