Decryption Mirroring creates a copy of the decrypted
(cleartext) traffic and sends it to a device that can archive and
analyze the traffic.
Decryption mirroring creates a copy of decrypted traffic
from a firewall and sends it to a traffic collection tool such as
NetWitness or Solera, which can receive raw packet captures for
archiving and analysis. Organizations that require comprehensive
data capture for forensic and historical purposes or for data leak
prevention (DLP) can install a free license to enable the feature.
After you install the license, connect the traffic collection
tool directly to an Ethernet interface on the firewall and set the
. The firewall simulates a TCP handshake with
the collection tool and then sends every data packet through that
interface, decrypted (as cleartext).
Decryption mirroring is available only on PA-7000 Series, PA-5200
Series, PA-5000 Series and PA-3000 Series platforms.
Keep in mind that the decryption, storage, inspection, and/or
use of SSL traffic is regulated in certain countries and user consent
may be required in order to use the decryption mirror feature. Additionally,
use of this feature could enable malicious users with administrative
access to the firewall to harvest usernames, passwords, social security
numbers, credit card numbers, or other sensitive information submitted
using an encrypted channel. Palo Alto Networks recommends that you
consult with your corporate counsel before activating and using
this feature in a production environment.