Configure Decryption Port Mirroring

Before you can enable  Decryption Port Mirroring , obtain and install the free Decryption Port Mirror license. You can activate this license through the Customer Support Portal. The license requirement ensures that this feature can only be used after approved personnel purposefully activate the license. After obtaining, installing, and activating the license, reboot the Next-Generation Firewall (NGFW), then enable decryption mirroring.

Important Considerations

• Certain countries regulate the decryption, storage, inspection, or use of SSL traffic, and user consent may be required to mirror traffic
• Malicious users with administrative access to the NGFW could potentially harvest sensitive information (for example, usernames, passwords, social security numbers, and credit card numbers) submitted through encrypted channels.
• Consult with corporate counsel before activating and using this feature in a production environment.

1. Request a license for each NGFW on which you want to enable decryption mirroring.
1. Log in to the  Palo Alto Networks Customer Support website  and navigate to the  Assets  tab.
2. Select the entry for the NGFW you want to license and select  Actions .
3. Select  Decryption Port Mirror . A legal notice displays.
4. Click  I understand and wish to proceed  when you are clear about the potential legal implications and requirements.
5. Click  Activate .

2. Install the Decryption Port Mirror license.
1. On the NGFW, select  DeviceLicenses .
2. Click  Retrieve license keys from license server .
3. Verify that the license is active.

4. Reboot the NGFW ( DeviceSetupOperations ). This feature is not available for configuration until PAN-OS reloads.
2. Forward decrypted traffic. Superuser permission is required to perform this step.

On an NGFW with a single virtual system:

1. Select  DeviceSetupContent-ID .
2. Select  Allow forwarding of decrypted content .
3. Click  OK .

On an NGFW with multiple virtual systems:

4. Select  DeviceVirtual System.
5. Select a Virtual System, or create a new Virtual System by selecting  Add .
6. Select  Allow forwarding of decrypted content .
7. Click  OK .
3. Enable the Ethernet interface you want to use for decryption mirroring.
1. Select  NetworkInterfacesEthernet .
2. Click an Ethernet interface. A dialog with various settings appears.
3. For  Interface Type , select  Decrypt Mirror .

This interface type appears only if you have installed the Decryption Port Mirror license.

4. Click  OK .
4. Enable mirroring of decrypted traffic.
1. Select  ObjectsDecryption Profile .
2. Select the  Interface  you will use for  Decryption Mirroring .

The  Interface  drop-down contains all Ethernet interfaces of  Decrypt Mirror  type.

3. Specify whether to mirror decrypted traffic before or after policy enforcement.

By default, the NGFW mirrors all decrypted traffic to the interface before the Security policy rule lookup, allowing you to replay events and analyze traffic that generates a threat or triggers a drop action.

If you want to only mirror decrypted traffic after Security policy enforcement, select the  Forwarded Only  check box. With this option, only traffic forwarded through the NGFW is mirrored. This option is useful if you are forwarding the decrypted traffic to other threat detection devices, such as a DLP device or another intrusion prevention system (IPS).

4. Click  OK .
5. Attach the decryption profile rule (with decryption port mirroring enabled) to a decryption policy rule. All traffic decrypted based on the policy rule is mirrored.
1. Select  PoliciesDecryption .
2. Select an existing decryption policy rule, or  Add  a new rule.
3. In the  Options  tab, select  Decrypt  and the  Decryption Profile  you created earlier.
4. Click  OK .
6. Save the configuration.

Click  Commit .