Documente Academic
Documente Profesional
Documente Cultură
LiveCommunity
Topics Resources
Live > Topics > Con guration > Con guration Articles >
Community Search
App-ID (13)
Labels: Con guration, Learning, Network, Objects & Security Pro les
Authentication (25)
Endpoint (1)
GlobalProtect (50)
Hardware (13)
Learning (12)
Logs (52)
Management (186)
Migration (1)
NAT (33)
Network (144)
Next
Contributors
rvanderveken
Recommendations
https://live.paloaltonetworks.com/t5/ConfigurationArticles/HowtoConfigureaDecryptMirrorPortonPANOS60/tap/57440 1/4
4/12/2016 HowtoConfigureaDecryptMirrorPortonPANOS6...LiveCommunity
All traf c that matches the SSL Decryption Policy will be decrypted and forwarded to the mirror port, which is ethernet 1/8 in the above
example.
Multi-VSYS Con guration
When creating a new VSYS, select the option "Allow Forwarding of Decrypted Content," which is shown below. The rest of the
con guration is the same as for a single VSYS environment.
Veri cation
After the setup is complete, the sessions that are marked for decryption will be forwarded to the designated port.
This can be veri ed in the session table by ltering all the sessions that are decrypt-mirrored:
>showsessionallfilterdecryptmirroryes
IDApplicationStateTypeFlagSrc[Sport]/Zone/Proto(translatedIP[Port])
VsysDst[Dport]/Zone(translatedIP[Port])
33557112webbrowsingACTIVEFLOW*NS10.193.91.111[55193]/Untrust/6(10.193.88.91[28832])
vsys1216.58.209.224[443]/Untrust(216.58.209.224[443])
33557161webbrowsingACTIVEFLOW*NS10.193.91.111[55241]/Untrust/6(10.193.88.91[6770])
vsys1216.58.209.238[443]/Untrust(216.58.209.238[443])
33557106webbrowsingACTIVEFLOW*NS10.193.91.111[55190]/Untrust/6(10.193.88.91[1490])
vsys1216.58.209.230[443]/Untrust(216.58.209.230[443])
33557131webbrowsingACTIVEFLOW*NS10.193.91.111[55207]/Untrust/6(10.193.88.91[44665])
vsys174.125.71.94[443]/Untrust(74.125.71.94[443])
33557084webbrowsingACTIVEFLOW*NS10.193.91.111[55170]/Untrust/6(10.193.88.91[34083])
vsys1204.79.197.203[443]/Untrust(204.79.197.203[443])
33557166webbrowsingACTIVEFLOW*NS10.193.91.111[55244]/Untrust/6(10.193.88.91[50576])
vsys1216.58.209.226[443]/Untrust(216.58.209.226[443])
33557086facebooksocialpluginACTIVEFLOW*NS10.193.91.111[55172]/Untrust/6
(10.193.88.91[55838])
vsys131.13.93.3[443]/Untrust(31.13.93.3[443])
https://live.paloaltonetworks.com/t5/ConfigurationArticles/HowtoConfigureaDecryptMirrorPortonPANOS60/tap/57440 2/4
4/12/2016 HowtoConfigureaDecryptMirrorPortonPANOS6...LiveCommunity
33557135youtubebaseACTIVEFLOW*NS10.193.91.111[55210]/Untrust/6(10.193.88.91[31302])
vsys1216.58.209.224[443]/Untrust(216.58.209.224[443])
33557118webbrowsingACTIVEFLOW*NS10.193.91.111[55195]/Untrust/6(10.193.88.91[33260])
vsys174.125.206.154[443]/Untrust(74.125.206.154[443])
33557141webbrowsingACTIVEFLOW*NS10.193.91.111[55215]/Untrust/6(10.193.88.91[50351])
vsys1216.58.209.224[443]/Untrust(216.58.209.224[443])
33557116webbrowsingACTIVEFLOW*NS10.193.91.111[55194]/Untrust/6(10.193.88.91[15099])
vsys1216.58.209.238[443]/Untrust(216.58.209.238[443])
33557127flashACTIVEFLOW*NS10.193.91.111[55202]/Untrust/6(10.193.88.91[9829])
vsys1216.58.209.230[443]/Untrust(216.58.209.230[443])
33557091twitterbaseACTIVEFLOW*NS10.193.91.111[55179]/Untrust/6(10.193.88.91[28557])
vsys1199.16.157.105[443]/Untrust(199.16.157.105[443])
33557143webbrowsingACTIVEFLOW*NS10.193.91.111[55216]/Untrust/6(10.193.88.91[54633])
7316httpvideoACTIVEFLOW*NS10.193.91.111[55238]/Untrust/6(10.193.88.91[26068])
vsys1173.194.129.178[443]/Untrust(173.194.129.178[443])
7238webbrowsingACTIVEFLOW*NS10.193.91.111[55184]/Untrust/6(10.193.88.91[28250])
vsys174.125.195.113[443]/Untrust(74.125.195.113[443])
7307webbrowsingACTIVEFLOW*NS10.193.91.111[55233]/Untrust/6(10.193.88.91[44945])
vsys174.125.206.154[443]/Untrust(74.125.206.154[443])
owner: rvanderveken
Everyone's Tags: con guration con gure decryption doc-6212 how-to View All (9)
1 of 1 people found this article helpful. Did you nd this article helpful? Yes No
Article Options
Hide Comments
Comments
Permalink
Jhartman,
You can tryredirecting someunencrypted traf c with routing or PBF, but there is no way toforwardall unencrypted traf c to a mirror
port with Palo Alto Network rewall.
Instead, you achieve this using your switch'smirror port or purpose-built deivces suchas Network Packet Brockers.
Permalink
Copyright 2007 - 2016 - Palo Alto Networks Privacy Policy Terms of Use
https://live.paloaltonetworks.com/t5/ConfigurationArticles/HowtoConfigureaDecryptMirrorPortonPANOS60/tap/57440 4/4