4/12/2016 HowtoConfigureaDecryptMirrorPortonPANOS6...

LiveCommunity

Register Sign In FAQs Get Support

Topics Resources

Live > Topics > Con guration > Con guration Articles >

Con guration Articles

Notice: Palo Alto Networks plans to perform network maintenance 2:00 3:00 pm PDT Saturday, April 16th and 2:00 10:00 pm PDT Saturday, May 14th. Read More >

Community Search

How to Con gure a Decrypt Mirror Port on PAN-OS 6.0 Labels

by rvanderveken on 11-14-2013 08:29 AM (13,542 Views)

App-ID (13)
Labels: Con guration, Learning, Network, Objects & Security Pro les
Authentication (25)

Overview Certi cates (19)

PAN-OS 6.0 introduced a feature to create a copy of decrypted traf c and send it to a mirror port, which enables raw packet captures of
the decrypted traf c for archiving and analysis. Cloud (2)
Note: This feature is available on the Palo Alto Networks PA-3000 Series and PA-5000 Series devices.
Con guration (405)
Steps
1. Activate the "Decryption Port Mirror" license. Go to Device > Licenses: Decryption (3)

Endpoint (1)

GlobalProtect (50)

Hardware (13)

High Availability (26)

2. Reboot the device.
3. After the reboot completes, choose a free interface. Go to Network > Interfaces to use as port mirror interface: Integration (4)

Learning (12)

Logs (52)

Management (186)

Migration (1)

NAT (33)

Network (144)

Objects & Security Pro les (103)

4. Create a Decryption Pro le. Go to Objects > Decryption Pro le. In this pro le, specify which interface the decrypted traf c needs
Panorama (41)
to send:
Policies (82)

Next

Contributors
rvanderveken

5. Apply the decryption pro le to the SSL Decryption Policy or Policies:

Recommendations

https://live.paloaltonetworks.com/t5/ConfigurationArticles/HowtoConfigureaDecryptMirrorPortonPANOS60/tap/57440 1/4
4/12/2016 HowtoConfigureaDecryptMirrorPortonPANOS6...LiveCommunity

Video Tutorial: How to

Con gure SSL Decryption

DotW: PAN-OS 6.x to 7.x Issues

PAN-OS 6.0.3: Addressed Issues

DotW: PAN-OS Upgrade

6. Allow forwarding of Decrypted Content. Go to Device > Setup > Content-ID:

PAN-OS 6.0.2: Addressed Issues

7. Commit the con guration.

All traf c that matches the SSL Decryption Policy will be decrypted and forwarded to the mirror port, which is ethernet 1/8 in the above
example.
Multi-VSYS Con guration
When creating a new VSYS, select the option "Allow Forwarding of Decrypted Content," which is shown below. The rest of the
con guration is the same as for a single VSYS environment.

Veri cation
After the setup is complete, the sessions that are marked for decryption will be forwarded to the designated port.
This can be veri ed in the session table by ltering all the sessions that are decrypt-mirrored:
>showsessionallfilterdecryptmirroryes

IDApplicationStateTypeFlagSrc[Sport]/Zone/Proto(translatedIP[Port])
VsysDst[Dport]/Zone(translatedIP[Port])

33557112webbrowsingACTIVEFLOW*NS10.193.91.111[55193]/Untrust/6(10.193.88.91[28832])
vsys1216.58.209.224[443]/Untrust(216.58.209.224[443])
33557161webbrowsingACTIVEFLOW*NS10.193.91.111[55241]/Untrust/6(10.193.88.91[6770])
vsys1216.58.209.238[443]/Untrust(216.58.209.238[443])
33557106webbrowsingACTIVEFLOW*NS10.193.91.111[55190]/Untrust/6(10.193.88.91[1490])
vsys1216.58.209.230[443]/Untrust(216.58.209.230[443])
33557131webbrowsingACTIVEFLOW*NS10.193.91.111[55207]/Untrust/6(10.193.88.91[44665])
vsys174.125.71.94[443]/Untrust(74.125.71.94[443])
33557084webbrowsingACTIVEFLOW*NS10.193.91.111[55170]/Untrust/6(10.193.88.91[34083])
vsys1204.79.197.203[443]/Untrust(204.79.197.203[443])
33557166webbrowsingACTIVEFLOW*NS10.193.91.111[55244]/Untrust/6(10.193.88.91[50576])
vsys1216.58.209.226[443]/Untrust(216.58.209.226[443])
33557086facebooksocialpluginACTIVEFLOW*NS10.193.91.111[55172]/Untrust/6
(10.193.88.91[55838])
vsys131.13.93.3[443]/Untrust(31.13.93.3[443])

https://live.paloaltonetworks.com/t5/ConfigurationArticles/HowtoConfigureaDecryptMirrorPortonPANOS60/tap/57440 2/4
4/12/2016 HowtoConfigureaDecryptMirrorPortonPANOS6...LiveCommunity
33557135youtubebaseACTIVEFLOW*NS10.193.91.111[55210]/Untrust/6(10.193.88.91[31302])
vsys1216.58.209.224[443]/Untrust(216.58.209.224[443])
33557118webbrowsingACTIVEFLOW*NS10.193.91.111[55195]/Untrust/6(10.193.88.91[33260])
vsys174.125.206.154[443]/Untrust(74.125.206.154[443])
33557141webbrowsingACTIVEFLOW*NS10.193.91.111[55215]/Untrust/6(10.193.88.91[50351])
vsys1216.58.209.224[443]/Untrust(216.58.209.224[443])
33557116webbrowsingACTIVEFLOW*NS10.193.91.111[55194]/Untrust/6(10.193.88.91[15099])
vsys1216.58.209.238[443]/Untrust(216.58.209.238[443])
33557127flashACTIVEFLOW*NS10.193.91.111[55202]/Untrust/6(10.193.88.91[9829])
vsys1216.58.209.230[443]/Untrust(216.58.209.230[443])
33557091twitterbaseACTIVEFLOW*NS10.193.91.111[55179]/Untrust/6(10.193.88.91[28557])
vsys1199.16.157.105[443]/Untrust(199.16.157.105[443])
33557143webbrowsingACTIVEFLOW*NS10.193.91.111[55216]/Untrust/6(10.193.88.91[54633])
7316httpvideoACTIVEFLOW*NS10.193.91.111[55238]/Untrust/6(10.193.88.91[26068])
vsys1173.194.129.178[443]/Untrust(173.194.129.178[443])
7238webbrowsingACTIVEFLOW*NS10.193.91.111[55184]/Untrust/6(10.193.88.91[28250])
vsys174.125.195.113[443]/Untrust(74.125.195.113[443])
7307webbrowsingACTIVEFLOW*NS10.193.91.111[55233]/Untrust/6(10.193.88.91[44945])
vsys174.125.206.154[443]/Untrust(74.125.206.154[443])
owner: rvanderveken

Everyone's Tags: con guration con gure decryption doc-6212 how-to View All (9)

1 of 1 people found this article helpful. Did you nd this article helpful? Yes No

Article Options

Hide Comments

Comments

by jhartman on 02-12-2015 07:41 AM

Is it also possible to mirror other traf c to a mirror port?

A customer would like to monitor all tra c to a speci c url category, it seems that this is only possibe for encrypted traf . Can we also
send unencrypted traf c, to a speci c category to this port?

Permalink

by ilya 11-23-2015 10:33 AM - edited 11-23-2015 10:45 AM

Jhartman,

You can tryredirecting someunencrypted traf c with routing or PBF, but there is no way toforwardall unencrypted traf c to a mirror
port with Palo Alto Network rewall.

Instead, you achieve this using your switch'smirror port or purpose-built deivces suchas Network Packet Brockers.

Permalink

Latest Blogs Events Connect

What to Expect When You're Authoring Join Fuel at Spark User Summit Boston
on 18 December 2015
As organizations grow to become more glo...

Week 15 Recap Join Fuel at Spark User Summit
Looking back at Ignite and looking forwa... Amsterdam on 16 December 2015
Join Fuel User Group in Amsterdam for a ...
The Limelight on Learning
https://live.paloaltonetworks.com/t5/ConfigurationArticles/HowtoConfigureaDecryptMirrorPortonPANOS60/tap/57440 3/4
4/12/2016 HowtoConfigureaDecryptMirrorPortonPANOS6...LiveCommunity
Fun fact: our Education department took ... Join Fuel at Spark User Summit Sydney
on 9 December 2015

Copyright 2007 - 2016 - Palo Alto Networks Privacy Policy Terms of Use

https://live.paloaltonetworks.com/t5/ConfigurationArticles/HowtoConfigureaDecryptMirrorPortonPANOS60/tap/57440 4/4