PaloAlto Decrypt Mirror not traffic visible to VM but switch port mirror traffic is

dmurdoch — Thu, 21 Feb 2019 20:14:16 GMT

I've setup VMware ESXi 6.5 and 6.5U1 with a few different intrusion detection systems and SIEM platforms and getting inconsistent behavior w/ the Palo Alto Decrypt Mirror port vs. other technologies such as a SPAN or "Mirror Port".

Many NIDS platforms (SecOnion, Bro, Moloch) can accept data from a SPAN, Mirror, or physical network tap and do intrusion detection / network extraction on the inbound data. Example - plug a USR 4503 TAP in between a perimeter firewall (inline), and then you can take the TAP port, plug it into a NIC on VMware ESX, configure the vSwitch and PortGroup to accept promiscuous mode, connect that to a virtual NIC, and the NIDS / SIEM can monitor the traffic. Key rule - you *must* enable promiscuous mode, and IRL, only connect this type of PortGroup/VSwitch to a "monitoring interface". So - be direct, restrictive, and "single purpose".

Enter the Palo Alto PA220. I have successfully configured decrypt port mirror, got the certificate in place on a Mac and an IPad, and seen in the Palo Alto (PANOS 8.1.4) that the traffic is decrypted. So that part of the equation works. When I plug in a Mac or a Windows PC to the physical cable attached to the PA's Decrypt Mirror port, I can see fully decrypted SSL/TLS type traffic - rather cool!

However, when I connect a vSwithch & Port group to a NIC plugged into the PA's Decrypt mirror port and then attach the PG to a Linux system, I cannot see the data with TCPdump.

So - test my setup then -> Just to make sure I had everything right - I configured a port mirror on a Cisco S300, and mirrored the traffic from the port w/ the firewall plugged in (Interior side), and sure enough - that data was delivered to the switch just fine, beause I can add a third NIC to my Linux system and can see the regular mirrored traffic just fine. (CLA: tcpdump -A -n -i eth2 "not dest net 10.0.0.0/16 and ip" shows me traffic to/from the Internet, encrypted for port 443, DNS data is visible)

SO -> net effect => and the query to the Community:

What would cause a PA 220 w/ Decrypt Port Mirror not to present data to a client VM using VMware ESXk 6.5, when port mirrors from switches do present data to the VM and there is no other obvious differences in the configuration?

Thanks for any assistance you can give.

Re: PaloAlto Decrypt Mirror not traffic visible to VM but switch port mirror traffic is

reaper — Thu, 28 Feb 2019 09:14:28 GMT

The decrypt mirror only outputs what is inside the encapsulated payload of the decrypted traffic while a SPAN port forwards everything.

This means there's no MAC addresses being exchanged and no handshakes etc., which may trip up the vSwitch

Re: PaloAlto Decrypt Mirror not traffic visible to VM but switch port mirror traffic is

dmurdoch — Fri, 01 Mar 2019 11:48:10 GMT

The plot thickens on this topic. First, I was capable of plugging in the decrypt mirror port into a commodity switch, and the port mirror the switchport into my esx system and it worked. Meaning the inexpensive switch got the data to a system running as an ESX vm. Second, I have a friend with a VM100, and two ESXi systems, He configured his decrypt port mirror to use a lan port, then cabled that lan port to another ESX system, and the Sec Onion running on the second ESX system received the data.

topic PaloAlto Decrypt Mirror not traffic visible to VM but switch port mirror traffic is in General Topics

PaloAlto Decrypt Mirror not traffic visible to VM but switch port mirror traffic is

Re: PaloAlto Decrypt Mirror not traffic visible to VM but switch port mirror traffic is

Re: PaloAlto Decrypt Mirror not traffic visible to VM but switch port mirror traffic is