Decryption Mirroring

Decryption Mirroring creates a copy of the decrypted (cleartext) traffic and sends it to a device that can archive and analyze the traffic.
The decryption mirroring feature provides the capability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures—such as NetWitness or Solera—for archiving and analysis. This feature is necessary for organizations that require comprehensive data capture for forensic and historical purposes or data leak prevention (DLP) functionality. Decryption mirroring is available on PA-7000 Series, PA-5200 Series, PA-5000 Series and PA-3000 Series platforms only and requires that a free license be installed to enable this feature.
Keep in mind that the decryption, storage, inspection, and/or use of SSL traffic is regulated in certain countries and user consent may be required in order to use the decryption mirror feature. Additionally, use of this feature could enable malicious users with administrative access to the firewall to harvest usernames, passwords, social security numbers, credit card numbers, or other sensitive information submitted using an encrypted channel. Palo Alto Networks recommends that you consult with your corporate counsel before activating and using this feature in a production environment.
The following graphic shows the process for mirroring decrypted traffic and the section Configure Decryption Port Mirroring describes how to license and enable this feature.
decrypt-port-mirror.png

Related Documentation