How to Configure a Decrypt Mirror Port

How to Configure a Decrypt Mirror Port

31350
Created On 09/25/18 17:30 PM - Last Modified 08/05/19 20:36 PM


Resolution

Overview

PAN-OS 6.0 introduced a feature to create a copy of decrypted traffic and send it to a mirror port, which enables raw packet captures of the decrypted traffic for archiving and analysis.

 

Steps

  1. Activate the "Decryption Port Mirror" license. Go to Device > Licenses:
    Screen Shot 2013-11-14 at 16.53.20.png
 
  1. Reboot the device.
 
  1. After the reboot completes, choose a free interface. Go to Network > Interfaces to use as port mirror interface:
    Screen Shot 2013-11-14 at 16.52.39.png
 
  1. Create a Decryption Profile. Go to Objects > Decryption Profile. In this profile, specify which interface the decrypted traffic needs to send. 
Note: When configuring the Decryption profile on Panorama, the shared checkbox cannot be ticked.
Screen Shot 2013-11-14 at 16.56.49.png
 
  1. Apply the decryption profile to the SSL Decryption Policy or Policies:
    Screen Shot 2013-11-14 at 16.57.53.png
 
  1. Allow forwarding of Decrypted Content. Go to Device > Setup > Content-ID:
    Decrypt_forward.jpg
 
  1. Commit the configuration.

All traffic that matches the SSL Decryption Policy will be decrypted and forwarded to the mirror port, which is ethernet 1/8 in the above example.

 

Multi-VSYS Configuration

When creating a new VSYS, select the option "Allow Forwarding of Decrypted Content," which is shown below. The rest of the configuration is the same as for a single VSYS environment.

Screen Shot 2014-09-14 at 6.51.05 PM.png

 

Verification

After the setup is complete, the sessions that are marked for decryption will be forwarded to the designated port.
This can be verified in the session table by filtering all the sessions that are decrypt-mirrored:

> show session all filter decrypt-mirror yes



--------------------------------------------------------------------------------

ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                          Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

33557112     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55193]/Untrust/6  (10.193.88.91[28832])

vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443])

33557161     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55241]/Untrust/6  (10.193.88.91[6770])

vsys1                                          216.58.209.238[443]/Untrust  (216.58.209.238[443])

33557106     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55190]/Untrust/6  (10.193.88.91[1490])

vsys1                                          216.58.209.230[443]/Untrust  (216.58.209.230[443])

33557131     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55207]/Untrust/6  (10.193.88.91[44665])

vsys1                                          74.125.71.94[443]/Untrust  (74.125.71.94[443])

33557084     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55170]/Untrust/6  (10.193.88.91[34083])

vsys1                                          204.79.197.203[443]/Untrust  (204.79.197.203[443])

33557166     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55244]/Untrust/6  (10.193.88.91[50576])

vsys1                                          216.58.209.226[443]/Untrust  (216.58.209.226[443])

33557086     facebook-social-plugin ACTIVE  FLOW *NS   10.193.91.111[55172]/Untrust/6  (10.193.88.91[55838])

vsys1                                          31.13.93.3[443]/Untrust  (31.13.93.3[443])

33557135     youtube-base   ACTIVE  FLOW *NS   10.193.91.111[55210]/Untrust/6  (10.193.88.91[31302])

vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443])

33557118     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55195]/Untrust/6  (10.193.88.91[33260])

vsys1                                          74.125.206.154[443]/Untrust  (74.125.206.154[443])

33557141     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55215]/Untrust/6  (10.193.88.91[50351])

vsys1                                          216.58.209.224[443]/Untrust  (216.58.209.224[443])

33557116     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55194]/Untrust/6  (10.193.88.91[15099])

vsys1                                          216.58.209.238[443]/Untrust  (216.58.209.238[443])

33557127     flash          ACTIVE  FLOW *NS   10.193.91.111[55202]/Untrust/6  (10.193.88.91[9829])

vsys1                                          216.58.209.230[443]/Untrust  (216.58.209.230[443])

33557091     twitter-base   ACTIVE  FLOW *NS   10.193.91.111[55179]/Untrust/6  (10.193.88.91[28557])

vsys1                                          199.16.157.105[443]/Untrust  (199.16.157.105[443])

33557143     web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55216]/Untrust/6  (10.193.88.91[54633])

7316         http-video     ACTIVE  FLOW *NS   10.193.91.111[55238]/Untrust/6  (10.193.88.91[26068])

vsys1                                          173.194.129.178[443]/Untrust  (173.194.129.178[443])

7238         web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55184]/Untrust/6  (10.193.88.91[28250])

vsys1                                          74.125.195.113[443]/Untrust  (74.125.195.113[443])

7307         web-browsing   ACTIVE  FLOW *NS   10.193.91.111[55233]/Untrust/6  (10.193.88.91[44945])

vsys1                                          74.125.206.154[443]/Untrust  (74.125.206.154[443])
 

 

owner: rvanderveken



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGDCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language