Objects > Packet Broker Profile
Table of Contents
11.1
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Objects > Packet Broker Profile
The Packet Broker profile defines how
the firewall forwards traffic to a security chain, which is a set
of inline, third-party security appliances that provides additional
security inspection and enforcement. The profile defines the firewall interfaces
used to connect to the security chain, the type of security chain
(Routed Layer 3 or Layer 1 Transparent Bridge), the first and last
appliances in a Layer 3 security chain, session distribution (load
balancing) among multiple Layer 3 chains, and health monitoring
and actions to take upon a path or HTTP latency failure. You attach
a Packet Broker profile to a Packet Broker policy rule. The policy
rule defines the traffic to forward to the security chain and the
profile defines how to forward that traffic.
Before you can configure a Packet Broker profile, you must dedicate
at least two Layer 3 interfaces on the firewall to forward traffic
to the security chain.
- Select NetworkInterfacesEthernet.
- Select an interface to use for Packet Broker forwarding.
- Set the Interface Type to Layer3.
- Select AdvancedOther Info.
- Select Network Packet Broker to enable the interface.
- Repeat these steps with another Ethernet interface. If you want more than one dedicated connection (for example, to connect to multiple security chains), configure a pair of Ethernet interfaces for each dedicated connection.
Packet Broker Profile
Settings | Description |
---|---|
Name | Give the profile a descriptive name. |
Description | Optionally describe the profile settings
or purpose. |
General Tab | |
Security Chain Type | Select the type of security chain to which
the firewall forwards decrypted traffic:
|
Enable IPv6 | (Transparent Bridge mode only) Enable IPv6
traffic forwarding. |
Flow Direction | Select whether traffic enters the security
chain from one firewall interface and exits the security to the
other firewall interface, or if traffic can enter and exit the security
chain from both firewall interfaces.
The flow
direction you select depends on the type of appliances in the security
chain. For example, if a security chain has stateless devices that
can examine both sides of a session, you could choose a unidirectional
flow. |
Interface #1 | The Network Packet Broker
interfaces that the firewall uses to forward traffic to and receive
traffic from a security chain. You must configure each interface
as a Network Packet Broker interface, as described at the beginning
of this help topic. |
Interface #2 | |
Security Chains Tab Configure
one or multiple (for load balancing or redundancy) Layer 3 security
chains on one pair of Network Packet Broker firewall interfaces.
For the Routed (Layer 3) security chain type,
you must configure at least one security chain to specify where
to forward traffic. For multiple security chains, aswitch or other
device must handle the routing between the firewall and the chains. The
options on this tab are only available for Layer 3 (routed) security chains. | |
Enable | Enable the security chain. |
Name | Give the security chain a descriptive name. |
First Device | Enter the IPv4 address of the first and last devices in the security chain or define a new Address Object to easily reference the device. |
Last Device | |
Session Distribution Method | When forwarding to multiple Routed
(Layer 3) security chains, choose the method that the
firewall uses to distribute sessions among multiple security chains:
|
Health Monitor Tab | |
On Health Check Failure | When you enable health checks (Path Monitoring, HTTP
Monitoring, or HTTP Monitoring Latency),
you also decide what happens if a chain (or all chains if there
are multiple chains) fails. If there are multiple chains and one
or more chains fail a health check but at least one chain is still
healthy, the firewall distributes traffic to the remaining chains
based on the Session Distribution Method.
If all of the chains associated with a pair of firewall Network
Packet Broker interfaces, you can:
|
Health Check Failed Condition | If you configure more than one health check
(you can configure all three health checks on a chain), configure
how the firewall defines a failure:
|
Path Monitoring | Enable path, HTTP latency,
or HTTP monitoring, or a combination of the three health checks
to identify when security chains experience a failure, and configure
the metrics that determine when a failure has occurred:
|
Latency Monitoring | |
HTTP Monitoring |