Configure Decryption Port Mirroring

Where permitted by law, you can decrypt traffic and send the cleartext (unencrypted) traffic to a device that can archive and analyze the traffic.
Before you can enable Decryption Mirroring, you must obtain and install a Decryption Port Mirror license. The license is free of charge and can be activated through the support portal as described in the following procedure. After you install the Decryption Port Mirror license and reboot the firewall, you can enable decryption port mirroring.
Keep in mind that the decryption, storage, inspection, and/or use of SSL traffic is regulated in certain countries and user consent may be required in order to use the decryption mirror feature. Additionally, use of this feature could enable malicious users with administrative access to the firewall to harvest usernames, passwords, social security numbers, credit card numbers, or other sensitive information submitted using an encrypted channel. Palo Alto Networks recommends that you consult with your corporate counsel before activating and using this feature in a production environment.
  1. Request a license for each firewall on which you want to enable decryption port mirroring.
    1. Log in to the Palo Alto Networks Customer Support website and navigate to the Assets tab.
    2. Select the entry for the firewall you want to license and select Actions.
    3. Select Decryption Port Mirror. A legal notice displays.
    4. If you are clear about the potential legal implications and requirements and still want to set up decryption port mirroring, click I understand and wish to proceed.
    5. Click Activate.
      device-licenses.png
  2. Install the Decryption Port Mirror license on the firewall.
    1. From the firewall web interface, select DeviceLicenses.
    2. Click Retrieve license keys from license server.
    3. Verify that the license has been activated on the firewall.
      decrypt-port-mirror-license.png
    4. Reboot the firewall (DeviceSetupOperations). This feature is not available for configuration until PAN-OS reloads.
  3. Enable the firewall to forward decrypted traffic. Superuser permission is required to perform this step.
    On a firewall with a single virtual system:
    1. Select DeviceSetupContent - ID.
    2. Select the Allow forwarding of decrypted content check box.
    3. Click OK to save.
    On a firewall with multiple virtual systems:
    1. Select DeviceVirtual System.
    2. Select a Virtual System to edit or create a new Virtual System by selecting Add.
    3. Select the Allow forwarding of decrypted content check box.
    4. Click OK to save.
  4. Enable an Ethernet interface to be used for decryption mirroring.
    1. Select NetworkInterfacesEthernet.
    2. Select the Ethernet interface that you want to configure for decryption port mirroring.
    3. Select Decrypt Mirror as the Interface Type.
      This interface type will appear only if the Decryption Port Mirror license is installed.
    4. Click OK to save.
  5. Enable mirroring of decrypted traffic.
    1. Select ObjectsDecryption Profile.
    2. Select an Interface to be used for Decryption Mirroring.
      The Interface drop-down contains all Ethernet interfaces that have been defined as the type: Decrypt Mirror.
    3. Specify whether to mirror decrypted traffic before or after policy enforcement.
      By default, the firewall mirrors all decrypted traffic to the interface before security policy lookup, which allows you to replay events and analyze traffic that generates a threat or triggers a drop action. If you want to only mirror decrypted traffic after security policy enforcement, select the Forwarded Only check box. With this option, only traffic that is forwarded through the firewall is mirrored. This option is useful if you are forwarding the decrypted traffic to other threat detection devices, such as a DLP device or another intrusion prevention system (IPS).
    4. Click OK to save the decryption profile.
  6. Attach the decryption profile (with decryption port mirroring enabled) to a decryption policy rule. All traffic decrypted based on the policy rule is mirrored.
    1. Select PoliciesDecryption.
    2. Click Add to configure a decryption policy or select an existing decryption policy to edit.
    3. In the Options tab, select Decrypt and the Decryption Profile created in step 4.
    4. Click OK to save the policy.
  7. Save the configuration.
    Click Commit.

Related Documentation