Transport of Decrypt Port Mirror traffic to a remote Switch/Server

LeonardoMachado — Mon, 15 Mar 2021 18:10:50 GMT

We've been trying to redirect the decrypted port mirror traffic to a remote sever in the network.

If we plug a notebook into the decrytp port mirror of Palo Alto, we see all the decrypted traffic in Wireshark.

So, we tried to connect PA port into a switch and use Cisco RSPAN to send the traffic to our remote Server. It just doesn't work.

I may be failing on basic concepts here. Can anyone help me by saying how to make it work or, if so, why it should never work like this?

Thank you.

PA[decryp.port.mirror] --> Notebook: OK

PA[decryp.port.mirror] --> SW1..n[RSPAN] --> Server: Not OK!

Thank you.

Re: Transport of Decrypt Port Mirror traffic to a remote Switch/Server

reaper — Tue, 16 Mar 2021 13:47:05 GMT

this may be a question for cisco 😉

The decrypt port simply spits out packets as they go through the firewall so they're not routable or switchable (no MAC information)

An RSPAN still relies on capturing 'legitimate' traffic on a access/trunk port and forwarding the utput to a remote output