Before you can enable Decryption Mirroring, you must obtain and install a Decryption Port Mirror license. The license is free of charge and can be activated through the support portal as described in the following procedure. After you install the Decryption Port Mirror license and reboot the firewall, you can enable decryption port mirroring.
Configure Decryption Port Mirroring
Request a license for each firewall on which you want to enable decryption port mirroring. Log in to the Palo Alto Networks Customer Support web site and navigate to the Assets tab. Select the entry for the firewall you want to license and select Actions. Select Decryption Port Mirror. A legal notice displays. If you are clear about the potential legal implications and requirements, click I understand and wish to proceed. Click Activate.
Install the Decryption Port Mirror license on the firewall. From the firewall web interface, select Device > Licenses. Click Retrieve license keys from license server. Verify that the license has been activated on the firewall.
Reboot the firewall ( Device > Setup > Operations). This feature is not available for configuration until PAN-OS reloads.
Enable the firewall to forward decrypted traffic. Superuser permission is required to perform this step. On a firewall with a single virtual system: Select Device > Setup > Content - ID. Select the Allow forwarding of decrypted content check box. Click OK to save. On a firewall with multiple virtual systems: Select Device > Virtual System. Select a Virtual System to edit or create a new Virtual System by selecting Add. Select the Allow forwarding of decrypted content check box. Click OK to save.
Enable an Ethernet interface to be used for decryption mirroring. Select Network > Interfaces > Ethernet. Select the Ethernet interface that you want to configure for decryption port mirroring. Select Decrypt Mirror as the Interface Type. This interface type will appear only if the Decryption Port Mirror license is installed. Click OK to save.
Enable mirroring of decrypted traffic. Select Objects > Decryption Profile. Select an Interface to be used for Decryption Mirroring. The Interface drop-down contains all Ethernet interfaces that have been defined as the type: Decrypt Mirror. Specify whether to mirror decrypted traffic before or after policy enforcement. By default, the firewall will mirror all decrypted traffic to the interface before security policies lookup, which allows you to replay events and analyze traffic that generates a threat or triggers a drop action. If you want to only mirror decrypted traffic after security policy enforcement, select the Forwarded Only check box. With this option, only traffic that is forwarded through the firewall is mirrored. This option is useful if you are forwarding the decrypted traffic to other threat detection devices, such as a DLP device or another intrusion prevention system (IPS). Click OK to save the decryption profile.
Attach the decryption profile rule (with decryption port mirroring enabled) to a decryption policy rule. All traffic decrypted based on the policy rule is mirrored. Select Policies > Decryption. Click Add to configure a decryption policy or select an existing decryption policy to edit. In the Options tab, select Decrypt and the Decryption Profile created in Step 4. Click OK to save the policy.
Save the configuration. Click Commit.

Related Documentation