Wednesday, August 29, 2018

Palo Alto - Mirroring all traffic to external DLP product?

Hi Everyone,

I'm trying to get mirroring to a Symantec DLP product working. So far, I have the SSL decrypt mirror working fine, and the DLP product sees all of the test traffic and flags it as expected. However, the problem I find is that it does not mirror EVERYTHING to the port, just encrypted traffic that has been decrypted by the Palo. It completely misses unencrypted generic HTTP, ftp, etc traffic because it's not sending it.

What I have done to get around this, is to span the outside interface and the decrypt mirror interface of the palo using a switch, and aggregating that to a single monitor port on the DLP product. But now the DLP sees the encrypted traffic 2x, one encrypted, one decrypted and it's doubling up the processing time.

I've already engaged PA tech support and product support people, but they say it's not on their radar of features to implement, which i think is pretty stupid since if someone knew they could send social security numbers, credit card info, etc over generic http, our DLP product wouldn't catch it unless it was employed with the workaround I did.

Anyone get all traffic mirrored without needing an external switch? I've heard talks of a L2 V-wire, but that would double up the processing on the Palo itself. Just wondering if there were better alternatives.



No comments:

Post a Comment