End-of-Life (EoL)

Decryption Mirroring

Decryption Mirroring creates a copy of the decrypted (cleartext) traffic and sends it to a device that can archive and analyze the traffic.
Decryption mirroring creates a copy of decrypted traffic from a firewall and sends it to a traffic collection tool such as NetWitness or Solera, which can receive raw packet captures for archiving and analysis. Organizations that require comprehensive data capture for forensic and historical purposes or for data leak prevention (DLP) can install a free license to enable the feature.
After you install the license, connect the traffic collection tool directly to an Ethernet interface on the firewall and set the
Interface Type
Decrypt Mirror
. The firewall simulates a TCP handshake with the collection tool and then sends every data packet through that interface, decrypted (as cleartext).
Decryption mirroring is available only on PA-7000 Series, PA-5200 Series, PA-5000 Series and PA-3000 Series platforms.
Keep in mind that the decryption, storage, inspection, and/or use of SSL traffic is regulated in certain countries and user consent may be required in order to use the decryption mirror feature. Additionally, use of this feature could enable malicious users with administrative access to the firewall to harvest usernames, passwords, social security numbers, credit card numbers, or other sensitive information submitted using an encrypted channel. Palo Alto Networks recommends that you consult with your corporate counsel before activating and using this feature in a production environment.
The following graphic shows the process for mirroring decrypted traffic and the section Configure Decryption Port Mirroring describes how to license and enable this feature.

Recommended For You