Configure Palo Alto Networks Decrypt Mirror

The Palo Alto Networks configuration is built upon objects that come together in a Policy. This section describes one possible configuration; under the assumption the device is already inspecting SSL traffic correctly. Please note that this configuration relies on a free license available for most PAN devices running PAN-OS 6.0 or later; and that you can either configure it directly on the device or via Panorama.

Decrypted traffic will be mirrored to a dedicated interface on your Palo Alto Networks device, which needs to be of type Decrypt Mirror.

Mirroring is configured at the Decryption Profile level under the Objects tab. You can use the Clone button to copy the profile you are currently using instead of modifying it directly.

When cloned, you can rename it appropriately. The critical configuration option is to select the interface you configured earlier in the Decryption Mirroring section. You can leave the default Forwarded Only option selected.

You can create a custom URL Category for the traffic of interest by importing the file with the Managed Apps domains obtained from the Netskope UI into a new URL Category, in the Objects tab under Custom Objects > URL Category.

In order to selectively mirror traffic, you can clone the existing Decryption policy and adjust it using the objects created previously.

Decryption policies are found under Decryption in the Policies tab. Using the Clone button you can create a copy of the exiting policy, and you can move it up with the Move UP button so it won’t be shadowed by the original policy

Finally, you can set the URL Category and Decryption Profile to those you created in the previous sections.