Configure Decryption Port Mirroring

Where permitted by law, you can decrypt traffic and send the cleartext (unencrypted) traffic to a device that can archive and analyze the traffic.
Before you can enable Decryption Mirroring, you must obtain and install a Decryption Port Mirror license. The license is free of charge and can be activated through the support portal as described in the following procedure. After you install the Decryption Port Mirror license and reboot the firewall, you can enable decryption port mirroring.
Keep in mind that the decryption, storage, inspection, and/or use of SSL traffic is regulated in certain countries and user consent may be required in order to use the decryption mirror feature. Additionally, use of this feature could enable malicious users with administrative access to the firewall to harvest usernames, passwords, social security numbers, credit card numbers, or other sensitive information submitted using an encrypted channel. Palo Alto Networks recommends that you consult with your corporate counsel before activating and using this feature in a production environment.
  1. Request a license for each firewall on which you want to enable decryption port mirroring.
    1. Log in to the Palo Alto Networks Customer Support website and navigate to the
      Assets
      tab.
    2. Select the entry for the firewall you want to license and select
      Actions
      .
    3. Select
      Decryption Port Mirror
      . A legal notice displays.
    4. If you are clear about the potential legal implications and requirements and still want to set up decryption port mirroring, click
      I understand and wish to proceed
      .
    5. Click
      Activate
      .
      device-licenses.png
  2. Install the Decryption Port Mirror license on the firewall.
    1. From the firewall web interface, select
      Device
      Licenses
      .
    2. Click
      Retrieve license keys from license server
      .
    3. Verify that the license has been activated on the firewall.
      decrypt-port-mirror-license.png
    4. Reboot the firewall (
      Device
      Setup
      Operations
      ). This feature is not available for configuration until PAN-OS reloads.
  3. Enable the firewall to forward decrypted traffic. Superuser permission is required to perform this step.
    On a firewall with a single virtual system:
    1. Select
      Device
      Setup
      Content - ID
      .
    2. Select the
      Allow forwarding of decrypted content
      check box.
    3. Click
      OK
      to save.
    On a firewall with multiple virtual systems:
    1. Select
      Device
      Virtual System.
    2. Select a Virtual System to edit or create a new Virtual System by selecting
      Add
      .
    3. Select the
      Allow forwarding of decrypted content
      check box.
    4. Click
      OK
      to save.
  4. Enable an Ethernet interface to be used for decryption mirroring.
    1. Select
      Network
      Interfaces
      Ethernet
      .
    2. Select the Ethernet interface that you want to configure for decryption port mirroring.
    3. Select
      Decrypt Mirror
      as the
      Interface Type
      .
      This interface type will appear only if the Decryption Port Mirror license is installed.
    4. Click
      OK
      to save.
  5. Enable mirroring of decrypted traffic.
    1. Select
      Objects
      Decryption Profile
      .
    2. Select an
      Interface
      to be used for
      Decryption Mirroring
      .
      The
      Interface
      drop-down contains all Ethernet interfaces that have been defined as the type:
      Decrypt Mirror
      .
    3. Specify whether to mirror decrypted traffic before or after policy enforcement.
      By default, the firewall will mirror all decrypted traffic to the interface before security policies lookup, which allows you to replay events and analyze traffic that generates a threat or triggers a drop action. If you want to only mirror decrypted traffic after security policy enforcement, select the
      Forwarded Only
      check box. With this option, only traffic that is forwarded through the firewall is mirrored. This option is useful if you are forwarding the decrypted traffic to other threat detection devices, such as a DLP device or another intrusion prevention system (IPS).
    4. Click
      OK
      to save the decryption profile.
  6. Attach the decryption profile rule (with decryption port mirroring enabled) to a decryption policy rule. All traffic decrypted based on the policy rule is mirrored.
    1. Select
      Policies
      Decryption
      .
    2. Click
      Add
      to configure a decryption policy or select an existing decryption policy to edit.
    3. In the
      Options
      tab, select
      Decrypt
      and the
      Decryption Profile
      created in step 4.
    4. Click
      OK
      to save the policy.
  7. Save the configuration.
    Click
    Commit
    .

Related Documentation