Palo Alto Networks Deep Dive: Decryption Mirror & Broker

Introduction: The Need for Decrypted Traffic Inspection

In modern network security, a significant portion of traffic is encrypted using SSL/TLS. While encryption is vital for data privacy, it also creates blind spots for security appliances. Malicious actors increasingly use encrypted channels to conceal threats, exfiltrate data, or launch attacks. Palo Alto Networks Next-Generation Firewalls (NGFWs) provide robust decryption capabilities to regain visibility into this encrypted traffic, enabling comprehensive threat prevention and policy enforcement.

PAN-OS offers several methods for SSL/TLS decryption:

SSL Forward Proxy: Decrypts outbound SSL/TLS traffic initiated by internal users to external websites. The firewall acts as a "man-in-the-middle" (MITM), presenting its own certificate to clients.
SSL Inbound Inspection: Decrypts inbound SSL/TLS traffic destined for internal servers. This requires installing the server's private key and certificate on the firewall.
SSH Proxy: Decrypts and inspects SSH traffic, offering granular control over SSH commands and file transfers.

Once traffic is decrypted, the firewall can apply its full suite of security services, including App-ID, User-ID, Content-ID (Threat Prevention, WildFire, URL Filtering, DNS Security, Data Filtering). However, some organizations have existing security tools or specific compliance requirements that necessitate sending decrypted traffic to external systems for further analysis or logging. This is where Palo Alto Networks Decryption Mirroring and Decryption Broker functionalities become crucial.

Palo Alto Networks Decryption Mirroring

Decrypt Mirror Interfaces in Palo Alto Networks firewalls allow the forwarding of a copy of decrypted SSL/TLS traffic to a designated physical interface. This cleartext traffic can then be consumed by external, passive analysis tools such as Data Loss Prevention (DLP) systems, Intrusion Detection Systems (IDS), network forensics tools, or custom monitoring solutions. The key benefit is that these external tools do not need to perform SSL/TLS decryption themselves; the Palo Alto Networks firewall handles this complex task.

    
     PCNSE/PCNSA Exam Note (Palo Alto Networks):
    
    Key aspects for the exam include understanding that Decryption Mirroring is for passive inspection, requires a specific "Decrypt Mirror" interface type (which cannot have an IP address), and necessitates a (free) "Decryption Port Mirror" license. Remember the firewall reboot requirement after license installation.

Key Considerations for Decryption Mirroring

License Requirement: A free "Decryption Port Mirror" license must be obtained via the Palo Alto Networks Customer Support Portal, installed on the firewall, and the firewall must be rebooted for the feature to be active and the "Decrypt Mirror" interface type to become available.
Interface Configuration: A dedicated physical Ethernet interface must be configured with the type set to Decrypt Mirror in PAN-OS (Network > Interfaces > Ethernet). This interface *cannot* have an IP address, be part of an Aggregate Ethernet (AE) group, VLAN, or Virtual Wire, nor can it be assigned to a Virtual Router or Zone. It essentially acts as a SPAN/RSPAN output port for decrypted traffic.
Legal and Privacy Compliance: Decrypting traffic exposes potentially sensitive data (usernames, passwords, financial information, PII, PHI, etc.). You must consult with your organization's legal and compliance teams to ensure adherence to all local laws, regulations (e.g., GDPR, HIPAA), and company policies regarding data privacy, user consent, and notification *before* enabling this feature. Proper authorization and documentation are critical.
Security Implications: Because decrypted traffic is sent in cleartext to the mirror port, physical and logical access to the connected analysis tool and the network segment it resides on must be strictly secured. Unauthorized access could lead to the capture and misuse of highly sensitive information. Consider dedicated, isolated network segments for these tools.
Performance: SSL/TLS decryption itself is CPU-intensive. Mirroring adds a small additional overhead for copying the decrypted packets to the mirror interface. Ensure the Palo Alto Networks firewall model is adequately sized for your expected decrypted traffic load and overall processing requirements. Monitor CPU and dataplane utilization closely after implementation.
Supported Platforms: Decryption Mirroring is primarily supported on PA-Series hardware firewalls. It is *not* typically supported on VM-Series firewalls, especially in public cloud environments (AWS, Azure, GCP), due to platform limitations on raw packet mirroring capabilities at the hypervisor or virtual networking level. Always consult the latest Palo Alto Networks documentation for specific platform support.
Virtual Systems (VSYS): If using multiple virtual systems on a Palo Alto Networks firewall, the setting "Allow forwarding of decrypted content" must be enabled globally (Device > Setup > Content-ID) or on a per-vsys basis (Device > Virtual Systems > select vsys > Decryption Settings) where mirroring is required.
Traffic Selection: In the Decryption Profile, you can choose to mirror all decrypted traffic (before Security policy evaluation) or only traffic that is ultimately "Forwarded Only" (i.e., allowed by Security policy). The "Forwarded Only" option is generally recommended for feeding tools like DLP to reduce unnecessary data and focus on actual forwarded communications.

    
     Gotcha! (Palo Alto Networks):
    
    A common oversight is forgetting to reboot the firewall after installing the "Decryption Port Mirror" license. The "Decrypt Mirror" interface type will not appear in the dropdown until after a successful reboot. Another common issue is not enabling "Allow forwarding of decrypted content" either globally or per-vsys.

High-Level Configuration Steps (Decryption Mirroring)

Activate and Install License: Obtain the "Decryption Port Mirror" license from the Customer Support Portal, then install it on the firewall (Device > Licenses > Retrieve license keys from license server).
Reboot Firewall: This is a mandatory step for the license to take effect and the interface type to become available.
Enable Forwarding of Decrypted Content: Navigate to Device > Setup > Content-ID (for single vsys) or Device > Virtual Systems (for multi-vsys) and check "Allow forwarding of decrypted content".
Configure Mirror Interface: Go to Network > Interfaces > Ethernet, select a physical interface, and set its Interface Type to Decrypt Mirror .
Create/Modify Decryption Profile: Go to Objects > Decryption > Decryption Profile. Create a new profile or edit an existing one. In the Decryption Mirroring section, select the configured Decrypt Mirror interface. Optionally, check "Forwarded Only".
Apply Profile to Decryption Policy: Go to Policies > Decryption. Apply the configured Decryption Profile to the relevant Decryption Policy rules that have an Action set to Decrypt .
Commit Changes: Commit the configuration to the firewall.

(See Detailed Configuration Steps below for specifics with screenshots from the technical guide).

Palo Alto Networks Decryption Broker

Palo Alto Networks Decryption Broker extends the firewall's decryption capabilities by enabling it to decrypt SSL/TLS traffic and then forward the cleartext traffic through a series of *inline* third-party security appliances (a "security chain") before re-encrypting it and sending it to its original destination. This allows organizations to integrate specialized security tools (e.g., advanced sandboxes, niche DLP solutions, specific industry compliance checkers) that require inline access to cleartext traffic.

Unlike Decryption Mirroring, which sends a passive copy, Decryption Broker actively routes the live traffic flow through the external tools. This means the availability and performance of the security chain directly impact the traffic path.

    
     PCNSE/PCNSA Exam Note (Palo Alto Networks):
    
    For Decryption Broker, understand its inline nature. Key concepts include Security Chain objects, supported modes (Transparent Bridge, Layer 2, Layer 3), and how it differs from Decryption Mirror. A specific "Decryption Broker" license might be required (often bundled or enabled via the Decryption Port Mirror license, but verify current licensing guides).

Key Features and Concepts of Decryption Broker

Inline Inspection: Decrypted traffic is forwarded sequentially through one or more external security devices. These devices inspect the traffic and can potentially block or modify it before it returns to the firewall.
Security Chain: A Security Chain is configured on the Palo Alto Networks firewall (Objects > Decryption > Security Chain) and defines the sequence of external devices, the interfaces used to send and receive traffic from the chain, and the operational mode.
Supported Modes:
- Transparent Bridge Mode: The firewall acts as a Layer 2 bridge between two segments where the security chain physically resides. The security chain appliances are typically deployed as Layer 2 bump-in-the-wire devices. This mode supports bi-directional traffic flow symmetrically through the chain.
- Layer 2 Mode: The firewall forwards decrypted traffic to the security chain using Layer 2 interfaces (e.g., VLAN interfaces). The chain devices must be on the same Layer 2 segment as the firewall's designated interfaces.
- Layer 3 Mode: The firewall forwards decrypted traffic to the security chain using Layer 3 interfaces. The security chain devices are addressed via IP, and routing must be configured correctly for traffic to reach and return from the chain.
Traffic Re-encryption: After the traffic passes through the security chain and returns to the firewall, PAN-OS re-encrypts it before forwarding it to the final destination.
Health Monitoring: PAN-OS can optionally monitor the health of the security chain (e.g., via path monitoring or keepalives, depending on the mode and configuration). If the chain is detected as down, traffic handling policies (e.g., bypass, block) can be applied.
License: Decryption Broker functionality generally requires the "Decryption Port Mirror" license to be active. Refer to the latest Palo Alto Networks documentation for precise licensing requirements, as they can evolve.

    
     CRITICAL (Palo Alto Networks):
    
    Decryption Broker places the external security chain directly in the path of live traffic. Any failure, misconfiguration, or performance bottleneck within the security chain will directly impact application availability and user experience. Robust design, thorough testing, and health monitoring of the security chain are paramount.

Decryption Mirror vs. Decryption Broker: Key Differences

Feature	Decryption Mirror	Decryption Broker
Purpose	Passive, out-of-band inspection of a copy of decrypted traffic.	Active, inline inspection of live decrypted traffic through a chain of external tools.
Traffic Impact	No direct impact on original traffic flow (unless firewall resources are exhausted).	Directly impacts traffic flow. Chain failure/latency affects users.
Interface Type Used	Dedicated "Decrypt Mirror" interface (no IP, L2/L3 config).	Standard Layer 2 or Layer 3 interfaces on the firewall to connect to the security chain.
External Tool Action	External tools can only analyze; they cannot block or modify live traffic.	External tools can analyze, block, or potentially modify live traffic.
Complexity	Relatively simpler to configure.	More complex due to security chain configuration, routing/bridging, and health monitoring.
Use Cases	DLP (passive), forensics, threat hunting, compliance logging.	Integrating specialized inline security tools (e.g., third-party sandboxes, advanced WAFs, industry-specific inspection engines).
License	"Decryption Port Mirror" license (free, requires activation and reboot).	Typically enabled by the "Decryption Port Mirror" license, but verify current Palo Alto Networks guides.

High-Level Configuration Steps (Decryption Broker)

Ensure Licensing: Verify the "Decryption Port Mirror" license is active (reboot if newly installed). Check specific Palo Alto Networks documentation for any additional Decryption Broker licensing notes.
Enable Forwarding of Decrypted Content: Same as for Decryption Mirror (Device > Setup > Content-ID or per-vsys).
Configure Security Chain Interfaces:
- Identify or configure the physical/aggregate interfaces on the Palo Alto Networks firewall that will connect to the security chain.
- Configure these interfaces appropriately for the chosen mode (e.g., Layer 2 with VLANs, Layer 3 with IP addresses).
- Assign these interfaces to appropriate security zones.
Configure Security Chain Object:
- Navigate to Objects > Decryption > Security Chain and click Add .
- Provide a Name .
- Select the Mode (Transparent Bridge, Layer 2, or Layer 3).
- Specify the Ingress Interface (from firewall to chain) and Egress Interface (from chain back to firewall).
- Configure other parameters based on the mode (e.g., VLAN tags for Layer 2, next-hop IPs for Layer 3, bridge interface for Transparent Bridge).
- (Optional but Recommended) Configure Health Monitoring for the chain.
Create/Modify Decryption Profile:
- Navigate to Objects > Decryption > Decryption Profile.
- In the "Forward Decrypted Content" section, check the box Forward decrypted traffic through security chain .
- From the dropdown, select the Security Chain object you created.
- (Optional) Check "Forwarded Only" if you only want traffic allowed by Security Policy to be sent to the broker.
Apply Profile to Decryption Policy: Assign this Decryption Profile to the relevant Decryption Policy rules (Action = Decrypt ).
Configure Security Policies: Ensure Security policies allow traffic to and from the zones associated with your security chain interfaces. For Layer 3 mode, ensure routing is in place.
Commit Changes.

    
     Gotcha! (Palo Alto Networks):
    
    For Decryption Broker in Layer 3 mode, ensure proper routing is configured on the firewall to reach the security chain devices and on the security chain devices (or downstream routers) to return traffic to the firewall's egress security chain interface. Asymmetric routing can break Decryption Broker flows.

Mermaid Diagrams: Visualizing Decryption Flows

Decryption Mirror Process (Sequence Diagram)

Sequence of operations in Palo Alto Networks Decryption Mirroring, showing passive copying of decrypted traffic to an external tool.

Decryption Mirror Configuration Flow (Flowchart)

Palo Alto Networks Decryption Mirroring configuration workflow.

Decryption Broker: Inline Security Chain (Transparent Bridge Mode)

Palo Alto Networks Decryption Broker traffic flow with an external security chain in Transparent Bridge mode. The PAN NGFW forwards decrypted traffic through inline Layer 2 tools.

Decryption Broker: Inline Security Chain (Layer 3 Mode)

Palo Alto Networks Decryption Broker traffic flow with an external security chain in Layer 3 mode. Decrypted traffic is routed to and from IP-addressable security tools.

Decision Flow: Decryption Mirror vs. Decryption Broker

Decision tree for selecting between Palo Alto Networks Decryption Mirror and Decryption Broker based on inspection requirements.

Detailed Configuration Steps for Decryption Mirroring (Recap from Technical Guide)

Follow these steps precisely in PAN-OS to configure Decryption Port Mirroring:

1. Obtain and Activate License

Log in to the Palo Alto Networks Customer Support Portal .
Navigate to Assets .
Find the firewall serial number you want to license.
Select Actions > Decryption Port Mirror .
Read the legal notice carefully. Understand the implications regarding data privacy and compliance.
Click I understand and wish to proceed if you accept the terms and requirements.
Click Activate .

2. Install License on Firewall

On the firewall WebUI, go to Device > Licenses .
Click Retrieve license keys from license server .
Verify that the "Decryption Port Mirror" license shows as active.
Reboot the firewall (Device > Setup > Operations > Reboot Device). This is mandatory for the feature to become available.

3. Enable Forwarding of Decrypted Content

Superuser (role-based admin with necessary permissions) is required for this step.

If using a single virtual system (vsys) or for global setting:

Go to Device > Setup > Content-ID .
In the "Content-ID Settings" section, check the box for Allow forwarding of decrypted content .
Click OK .

If using multiple virtual systems (and want per-vsys control):

Go to Device > Virtual Systems .
Select the specific virtual system where mirroring/brokering is needed.
Under the "Decryption Settings" tab (or similar, depending on PAN-OS version), check the box for Allow forwarding of decrypted content .
Click OK . Repeat for other relevant virtual systems.

4. Configure the Mirror Interface

Go to Network > Interfaces > Ethernet .
Click the name of the physical Ethernet interface you want to designate for mirroring (e.g., ethernet1/5).
In the interface configuration window, set the Interface Type to Decrypt Mirror . (This option only appears after the "Decryption Port Mirror" license is installed and the firewall is rebooted).
No IP address, virtual router, or zone assignment is needed or allowed for this interface type.
Click OK .

5. Configure the Decryption Profile for Mirroring

Go to Objects > Decryption > Decryption Profile .
Click Add or edit an existing profile that will be used for decrypting traffic you wish to mirror.
Give the profile a Name .
In the profile settings (often under an "SSL Forward Proxy", "SSL Inbound Inspection", or "Advanced" tab, depending on context and PAN-OS version), locate the Decryption Mirroring section.
From the Interface dropdown, select the Ethernet interface you configured as Decrypt Mirror in the previous step.
(Recommended) Choose the mirroring behavior:
- Leave Forwarded Only unchecked (default): Mirrors all traffic successfully decrypted by rules using this profile, *before* Security policy lookup for forwarding decisions.
- Check Forwarded Only : Mirrors only the decrypted traffic that is also allowed and forwarded by a matching Security policy rule. This is generally preferred for tools like DLP or secondary IPS to reduce noise and focus on traffic actually traversing the network.
Configure other Decryption Profile settings as needed (e.g., SSL Protocol Settings, checks for Untrusted Issuers, Expired Certificates, etc., based on your decryption goals).
Click OK .

6. Apply Profile to Decryption Policy

Go to Policies > Decryption .
Click Add or edit an existing Decryption rule that has the Action set to Decrypt . This rule will define which traffic (based on source, destination, service, URL category, etc.) gets decrypted.
Navigate to the Options tab (or similar, depending on rule type) within the rule configuration.
Ensure the Action is Decrypt .
From the Decryption Profile dropdown, select the profile you configured/modified for mirroring in the previous step.
Click OK .

7. Commit Changes

Click Commit in the top-right corner of the WebUI.
Review the changes and click Commit again to save and apply the configuration to the firewall.

Advanced Considerations & Best Practices (Palo Alto Networks)

Performance Impact and Sizing

SSL/TLS decryption is one of the most resource-intensive operations a Palo Alto Networks NGFW performs, primarily impacting CPU utilization. Both Decryption Mirroring and Decryption Broker rely on this initial decryption.

Mirroring Overhead: Adds a relatively small overhead on top of decryption, as the firewall needs to duplicate decrypted packets and send them out the mirror port.
Broker Overhead: In addition to decryption, the Broker functionality involves policy lookups for routing/bridging traffic to/from the security chain and managing the state of these flows. The performance of the external security chain itself is also a critical factor.
Sizing: Always use the Palo Alto Networks Appliance Comparison Tool and consult with a Palo Alto Networks SE or partner for proper sizing. Consider the "SSL Decryption Throughput" and "SSL Decryption Sessions" metrics, factoring in your specific traffic mix and expected growth. It's better to oversize than undersize.
Monitoring: Post-deployment, closely monitor CPU ( show running resource-monitor ), session count ( show session info ), and decryption specific counters ( show counter global filter aspect-subsystem decryption delta yes ) on the PAN-OS CLI.

    
     PCNSE/PCNSA Exam Note (Palo Alto Networks):
    
    Understand that decryption significantly impacts firewall performance. For PCNSE, knowing how to check resource utilization (CPU, sessions) and basic decryption statistics via CLI is important.

"Forwarded Only" vs. "All Decrypted Traffic"

This option in the Decryption Profile (for Mirroring) or Security Chain forwarding settings (conceptually for Broker) determines what gets sent:

All Decrypted Traffic (Forwarded Only unchecked/not applicable): The firewall mirrors/forwards traffic as soon as it's decrypted, *before* the final Security Policy decision to allow or deny the flow. This can be useful for seeing all attempts but might send more data than needed to the external tool.
Forwarded Only (checked): The firewall mirrors/forwards only the decrypted traffic that has been matched by a Security Policy rule with an "allow" action. This is generally more efficient, especially for DLP tools, as it focuses on traffic that actually transits the network.

High Availability (HA) Considerations

When using Decryption Mirroring or Broker in a Palo Alto Networks HA A/P (Active/Passive) or A/A (Active/Active) cluster:

Mirroring:
- The Decrypt Mirror interface configuration is synchronized between HA peers.
- Decrypted traffic is mirrored only by the active firewall processing the session. If a failover occurs, the new active firewall will take over mirroring for new and (if session sync is enabled) existing sessions it decrypts.
- Ensure the physical connection from the mirror port to the analysis tool is appropriately managed for HA (e.g., connecting both firewalls' mirror ports to the same switch/tool, or using a network tap aggregator).
Broker:
- Security Chain configurations and associated interface settings are synced.
- Session ownership and traffic forwarding through the chain are managed by the active device for that session (in A/P, the active firewall; in A/A, the firewall owning the session).
- Path monitoring for the security chain should be robust.
- PAN-OS provides specific CLI commands to check HA state for Decryption Broker: show high-availability decryption-broker state and show high-availability decryption-broker flows .

    
     Gotcha! (Palo Alto Networks):
    
    In an HA A/A setup for Decryption Broker, ensure your security chain and network design can handle traffic potentially being brokered by either HA peer. Symmetric hashing for session distribution (if applicable for load balancing to the HA cluster) and consistent routing to/from the chain are critical.

Platform Support and Limitations

PA-Series Hardware: Decryption Mirroring and Broker are primarily designed for and fully supported on PA-Series hardware NGFWs.
VM-Series:
- Decryption Mirroring: Generally *not* supported on VM-Series due to limitations in most hypervisor/cloud virtual networking stacks for true port mirroring of raw packets from a guest VM's virtual interface.
- Decryption Broker: May have better applicability on VM-Series as it uses standard Layer 2 or Layer 3 vNICs to forward traffic. However, performance and specific hypervisor capabilities (e.g., SR-IOV, DPDK support if leveraged by PAN-OS on VM) will be key factors. Always verify against the latest Palo Alto Networks VM-Series deployment guides for your specific hypervisor/cloud.
Unsupported Traffic for Decryption: Certain traffic types cannot be decrypted by PAN-OS, and therefore cannot be mirrored or brokered in cleartext:
- Traffic using TLS client certificate authentication where the firewall doesn't have the client's private key.
- Sessions using ciphers or TLS versions explicitly blocked by the Decryption Profile (e.g., block sessions with unsupported versions/ciphers).
- Applications with pinned certificates or mutual TLS where the firewall cannot successfully impersonate the server/client.
- Non-SSL/TLS encrypted traffic (e.g., IPsec VPNs, some proprietary encryption protocols, unless specific proxy mechanisms exist like SSH Proxy).

Monitoring and Troubleshooting Decryption Mirror & Broker (Palo Alto Networks)

Verifying and troubleshooting Decryption Mirroring and Broker setups involves checking PAN-OS logs, statistics, and potentially performing packet captures.

Using PAN-OS Logs and ACC

Decryption Logs (Monitor > Logs > Decryption): This is the primary log to verify if traffic matching your Decryption Policy is being successfully decrypted or if errors are occurring (e.g., untrusted issuer, expired certificate, handshake failure). Look for:
- Action: decrypt
- Decryption Profile: The one configured for mirror/broker.
- Error messages if decryption fails.
- For mirrored sessions, there isn't a direct "mirrored" flag here, but successful decryption is a prerequisite.
Traffic Logs (Monitor > Logs > Traffic): Shows session details. If traffic is decrypted, the "Decrypted" column will be checked. For brokered traffic, you'll see sessions to/from the security chain interfaces.
System Logs (Monitor > Logs > System): May show events related to license activation, HA failovers affecting decryption broker, or critical decryption engine issues.
Application Command Center (ACC):
- The ACC has widgets related to SSL Decryption, showing decrypted traffic volume, top decrypted applications, and decryption failure reasons.
- This provides a high-level overview of decryption activity.

PAN-OS CLI Commands for Verification and Troubleshooting

show counter global filter delta yes aspect-subsystem decryption
# Displays various decryption counters, including successful decryptions, errors, and potentially mirrored/brokered packet counts (look for specific counters like 'mirr' or 'broker' if available in your PAN-OS version).

show session all filter decryption-profile <your-profile-name>
# Shows active sessions using your specific decryption profile.

show session id <session-id>
# Detailed view of a specific session. Look for flags indicating decryption status (e.g., 'decrypted: yes', 'ssl_proxy_ft_processed').

# For Decryption Broker:
show system setting decryption-broker status
# Shows the status of configured security chains, including health.

show system setting decryption-broker statistics
# Displays statistics for traffic forwarded through security chains.

show high-availability decryption-broker state
# In HA, shows the Decryption Broker state on each peer.

debug dataplane pool statistics | match Decryption
# Shows memory pool usage for decryption, useful for resource exhaustion troubleshooting.

# Packet Captures (use with caution in production):
debug dataplane packet-diag set filter on match ...
debug dataplane packet-diag set capture stage receive file rx.pcap
debug dataplane packet-diag set capture stage transmit file tx.pcap
debug dataplane packet-diag set capture stage drop file dp.pcap
# Configure filters carefully to capture relevant traffic (e.g., on mirror interface, or pre/post security chain).
# Then: view-pcap follow yes debug-pcap <stage>.pcap

    
     PCNSE/PCNSA Exam Note (Palo Alto Networks):
    
    Key CLI commands for PCNSE include `show counter global filter ... decryption`, `show session id ...`, and basic `debug dataplane packet-diag` understanding (though deep debugging is beyond PCNSA). Knowing where to find Decryption logs in the GUI is also crucial.

Common Issues and Troubleshooting Steps

No Traffic on Mirror Port / No Traffic to Broker Chain:
- License: Verify "Decryption Port Mirror" license is active and firewall rebooted.
- Allow Forwarding: Check "Allow forwarding of decrypted content" (Device > Setup > Content-ID or per-vsys).
- Interface Config:
  - Mirror: Ensure interface type is "Decrypt Mirror". Physical link up?
  - Broker: Ensure L2/L3 interfaces for chain are correctly configured, up, and in correct zones. Physical links up?
- Decryption Profile:
  - Mirror: Mirror interface selected? "Forwarded Only" correctly set?
  - Broker: Security Chain selected? "Forward decrypted traffic through security chain" checked?
- Decryption Policy: Is the correct Decryption Profile applied to a rule matching the traffic, with Action = Decrypt? Are sessions actually being decrypted (check Decryption logs)?
- Security Policy (for Broker): Are Security policies in place to allow traffic between the firewall and the security chain devices/zones?
- Routing (for L3 Broker): Correct routes on firewall and security chain devices? No asymmetric routing?
Intermittent or Partial Mirroring/Brokering:
- Resource Exhaustion: Check firewall CPU, memory, session limits. High load can cause packet drops.
- MTU Mismatches: Especially for Broker, ensure consistent MTU across the firewall interfaces and security chain devices.
- Unsupported Ciphers/TLS Versions: If sessions are not decrypted due to unsupported parameters, they won't be mirrored/brokered. Check Decryption logs for errors.
Security Chain Issues (Broker):
- Device Down: Is a tool in the chain offline? Check health monitoring if configured.
- Misconfiguration on External Tool: Is the external tool expecting traffic correctly (e.g., IP, VLAN)?
- Latency: High latency in the chain will impact application performance.

PCNSE Knowledge Check: Palo Alto Networks Decryption Mirror & Broker

1. A Palo Alto Networks firewall administrator needs to send a copy of decrypted SSL/TLS traffic to a passive, out-of-band DLP system for analysis. Which PAN-OS feature and interface type are most appropriate?

A. Decryption Broker with a Layer 2 Security Chain B. Tap Mode interface with SSL Forward Proxy C. Decryption Mirroring with a "Decrypt Mirror" interface type D. SSL Inbound Inspection with a Log Forwarding Profile

2. What is a mandatory prerequisite for the "Decrypt Mirror" interface type to be available for selection in the PAN-OS WebUI?

A. Activating a GlobalProtect license. B. Installing the "Decryption Port Mirror" license and rebooting the firewall. C. Configuring a Decryption Profile with "Forwarded Only" unchecked. D. Enabling "Allow forwarding of decrypted content" in Device > Setup > Content-ID.

3. In the context of Palo Alto Networks Decryption Broker, what is the primary purpose of a "Security Chain"?

A. To define a sequence of inline third-party security appliances through which decrypted traffic will be routed. B. To specify a list of SSL certificates used for re-encrypting brokered traffic. C. To create a chain of trust for SSL Inbound Inspection certificates. D. To link multiple Decrypt Mirror interfaces for load balancing.

4. Which statement accurately describes a key difference between Palo Alto Networks Decryption Mirror and Decryption Broker?

A. Decryption Mirror is an inline process, while Decryption Broker is out-of-band. B. Only Decryption Broker requires a specific license; Decryption Mirror does not. C. Decryption Mirror uses standard Layer 3 interfaces, while Broker uses a "Decrypt Broker" interface type. D. Decryption Broker forwards live traffic through external tools which can block/modify it, while Mirror sends a passive copy.

5. An administrator configures Decryption Mirroring. What is a critical security consideration for the network segment where the analysis tool receiving mirrored traffic resides?

A. It must have a route back to the firewall's management interface. B. It must be part of the same broadcast domain as the firewall's dataplane interfaces. C. Physical and logical access to this segment must be strictly secured as it receives cleartext sensitive data. D. The analysis tool must be configured as an NTP client to the firewall.

6. Which Decryption Broker mode is best suited when the external security chain devices are deployed as Layer 2 "bump-in-the-wire" appliances and symmetric bi-directional traffic flow is required?

A. Transparent Bridge Mode B. Layer 3 Mode C. Decrypt Mirror Mode D. SSL Offload Mode

7. What is the purpose of the "Allow forwarding of decrypted content" setting in PAN-OS (Device > Setup > Content-ID or per-vsys)?

A. It enables the firewall to forward SSL certificates to WildFire for analysis. B. It globally or per-vsys authorizes the firewall to send decrypted content to features like Decryption Mirror or Decryption Broker. C. It allows decrypted content to be stored in the firewall's local log files. D. It permits forwarding of traffic that failed decryption due to untrusted certificates.

8. When configuring a Decryption Profile for Decryption Mirroring, what does selecting the "Forwarded Only" option achieve?

A. Only traffic destined for the firewall itself is mirrored. B. Only SSL Forward Proxy traffic is mirrored, not SSL Inbound Inspection. C. All decrypted traffic is mirrored, regardless of Security Policy actions. D. Only decrypted traffic that is subsequently allowed by a Security Policy rule is mirrored.

9. Which Palo Alto Networks platform typically has limitations supporting Decryption Mirroring due to hypervisor/virtual networking constraints?

A. VM-Series firewalls B. PA-7000 Series hardware firewalls C. PA-5200 Series hardware firewalls D. PA-400 Series hardware firewalls

10. An administrator is troubleshooting Decryption Broker. Traffic is being decrypted, but not reaching the external security chain. Which of these is LEAST likely to be the direct cause if basic decryption is working?

A. Misconfigured Security Chain object (incorrect ingress/egress interfaces). B. Missing or incorrect Security Policy rules allowing traffic to/from the security chain zones. C. The "Decryption Port Mirror" license has expired. D. Incorrect routing for Layer 3 mode Decryption Broker.

11. What type of interfaces on the Palo Alto Networks firewall are used to connect to the external security devices in a Decryption Broker setup?

A. Only dedicated "Decrypt Broker" interface types. B. Standard Layer 2 or Layer 3 interfaces (e.g., Ethernet, Aggregate Ethernet). C. Only Tap interfaces. D. Only Virtual Wire interfaces.

12. In a Palo Alto Networks HA (High Availability) Active/Passive pair, if the active firewall fails, what happens to Decryption Mirroring?

A. The newly active (passive) firewall will take over mirroring for new and potentially existing decrypted sessions it handles. B. Decryption Mirroring stops until the original active firewall is restored. C. Both firewalls will start mirroring traffic simultaneously to provide redundancy. D. Mirroring configuration is lost and must be manually reapplied on the new active unit.

13. Which PAN-OS CLI command is most useful for checking real-time counters related to SSL/TLS decryption successes and failures?


        show system resources


        show interface all


        show arp all


        show counter global filter delta yes aspect-subsystem decryption

Explanation (Palo Alto Networks Focus): The command


       show counter global filter delta yes aspect-subsystem decryption

(D) provides detailed, real-time counters specifically for the decryption subsystem, including various success and error metrics.


       show system resources

shows CPU/memory.


       show interface

and


       show arp

are for network interface and ARP table status, respectively.

14. When using Decryption Broker, what is a potential consequence if an inline security tool within the configured Security Chain becomes unresponsive?

A. The firewall will automatically bypass the entire Decryption Broker feature and forward traffic encrypted. B. The firewall will switch to Decryption Mirror mode for affected sessions. C. Live traffic flow for sessions being brokered through that chain may be interrupted or significantly delayed. D. The firewall will only send a warning log, and traffic will continue to flow normally through the broken chain.

15. Which of the following is a legal and compliance prerequisite BEFORE enabling Decryption Mirroring or Broker in a production Palo Alto Networks environment?

A. Consulting with corporate counsel regarding data privacy laws, regulations, and user consent policies. B. Obtaining a signed waiver from all internet service providers involved. C. Publishing the firewall's decryption keys on a public repository. D. Ensuring all external analysis tools are from Palo Alto Networks.

16. A Decrypt Mirror interface on a Palo Alto Networks firewall cannot have which of the following configured?

A. A link speed setting (e.g., 1Gbps). B. A descriptive comment. C. Duplex settings (e.g., full-duplex). D. An IP address and assignment to a Virtual Router.

17. For Decryption Broker in Layer 3 mode, what is crucial for ensuring traffic correctly returns to the Palo Alto Networks firewall from the external security chain?

A. The security chain devices must use the firewall's management IP as their default gateway. B. Proper IP routing on the security chain devices (or downstream routers) to direct traffic back to the firewall's egress security chain interface. C. All security chain devices must be in the same Layer 2 broadcast domain as the firewall. D. The firewall must have NAT enabled for all traffic going to the security chain.

18. If multiple virtual systems (vsys) are configured on a Palo Alto Networks firewall, where must "Allow forwarding of decrypted content" be enabled for Decryption Mirroring/Broker to function for a specific vsys?

A. Only globally under Device > Setup > Content-ID; per-vsys settings are not possible. B. It's enabled by default and cannot be disabled. C. It can be enabled globally (Device > Setup > Content-ID) OR on a per-vsys basis (Device > Virtual Systems > select vsys). D. Only within the Decryption Profile itself.

19. What is the primary log type in PAN-OS to check if SSL/TLS decryption itself is succeeding or failing, before considering if it's being mirrored or brokered?

A. Decryption Logs (Monitor > Logs > Decryption) B. URL Filtering Logs (Monitor > Logs > URL Filtering) C. Threat Logs (Monitor > Logs > Threat) D. System Logs (Monitor > Logs > System)

20. Which of these PAN-OS features allows the firewall to decrypt traffic, send it INLINE through a series of third-party security tools, and then re-encrypt it before forwarding to the destination?

A. SSL Forward Proxy with Log Forwarding B. Decryption Mirroring C. App-ID based Decryption D. Decryption Broker