Palo Alto Prisma SASE Configuration Guide for 12.5.1

Getting Started

This section provides an overview of how NetWitness® SASE integrates with Palo Alto Prisma SASE to deliver enhanced visibility, threat detection, and investigation capabilities across remote, hybrid, and cloud environments. It explains how the combined solution enables centralized investigations, supports forensic analysis on retained network traffic, correlates disparate datasets for contextual threat analysis, and reduces operational costs through selective retention and optimized cloud deployments.

About NetWitness® SASE

This section explains NetWitness® SASE capabilities and how it complements Palo Alto Prisma SASE by extending visibility into encrypted traffic, remote users, and cloud workloads. It highlights how the integration supports secure, real‑time traffic monitoring, scalable cloud security, and elimination of visibility gaps introduced by traditional network architectures, enabling organizations to maintain compliance and strengthen their zero‑trust security posture.

NetWitness® SASE Integration with Palo Alto Architecture

This section covers the architectural design of the NetWitness® SASE integration with Palo Alto Prisma. It explains how SASE converges networking and security services in the cloud while NetWitness® ensures full packet capture and log monitoring across distributed sources. The section addresses traditional blind spots caused by legacy edge security tools and describes how the integrated architecture delivers enterprise‑grade security, improved user experience, and comprehensive visibility regardless of data origin.

Configure Palo Alto Prisma Integration

This section explains the available methods to configure Palo Alto Prisma integration within NetWitness®. It introduces deployment using Centralized Content Management (CCM) as the recommended approach and deployment using NwConsole as an alternative for environments not managed by CCM, allowing flexibility based on operational requirements.

Deploy Palo Alto Prisma Integration Using CCM

This section provides a high‑level overview of deploying the Palo Alto Prisma integration through policy‑based Centralized Content Management. It explains how CCM simplifies deployment by centrally managing configurations, policies, and decoders, ensuring consistent and scalable rollout across the environment.

Prerequisites for CCM Deployment

This section outlines the prerequisites required before deploying the integration using CCM. It explains the need for compatible NetWitness® Platform versions, Live Services connectivity, CCM‑managed decoder services, and access to required Google Cloud Platform resources such as private keys, bucket authentication credentials, project IDs, bucket names, and Pub/Sub subscription details.

Create Google Cloud Pub/Sub Subscription (CCM)

This section explains how to create and configure a Google Cloud Pub/Sub subscription required for receiving Prisma Access traffic replication messages. It describes how message filtering and ordering are used to ensure data continuity, efficient message delivery, and correct association with GCS buckets, while noting retention considerations for files stored in Palo Alto–managed buckets.

Configure Permissions for Google Cloud Platform (CCM)

This section covers the required Google Cloud Platform permissions for the service account used by the integration. It explains the need for read access to GCS buckets and Pub/Sub topics, assignment of the Pub/Sub Admin role, and full Cloud API access when service accounts are attached directly to decoder virtual machines.

Deploy Palo Alto Prisma Integration Tasks (CCM)

This section explains the sequence of tasks required to complete deployment using CCM, including mapping the decoder network adapter, creating and publishing a policy with the Prisma integration plugin, configuring the integration from the policy details view, and verifying successful data ingestion and metadata availability within NetWitness®.

Verify Palo Alto Prisma Events and Metadata (CCM)

This section explains how to validate that Palo Alto Prisma events are successfully captured and processed. It covers checking decoder statistics, confirming capture activity, aggregating decoder data into the concentrator, and verifying event metadata in the Investigate view to ensure end‑to‑end integration correctness.

Deploy Palo Alto Prisma Integration Using NwConsole

This section provides an overview of deploying the Palo Alto Prisma integration using NwConsole for environments where CCM is not used. It explains the manual deployment model and highlights its suitability for decentralized or legacy deployments.

Prerequisites for NwConsole Deployment

This section explains the prerequisites for NwConsole‑based deployment, including NetWitness® Platform version requirements, non‑CCM‑managed decoders, and availability of required encryption keys, authentication files, GCP bucket details, project IDs, and Pub/Sub subscriptions.

Create Google Cloud Pub/Sub Subscription (NwConsole)

This section explains how to create a Pub/Sub subscription for NwConsole deployments, emphasizing message filtering, ordering, retention behavior, and alignment with Prisma Access traffic replication requirements.

Configure Permissions for Google Cloud Platform (NwConsole)

This section covers the Google Cloud permission model required for NwConsole deployments, explaining service account access to buckets, Pub/Sub topics, administrative roles, and Cloud APIs to ensure smooth integration and data ingestion.

Deploy Palo Alto Prisma Integration Tasks (NwConsole)

This section explains the tasks required for manual deployment using NwConsole, including mapping the decoder network adapter, deploying the Prisma integration plugin, configuring integration instances via scripts, enabling trusted authentication, and restarting the decoder to activate packet capture.

Verify Palo Alto Prisma Events and Metadata (NwConsole)

This section explains how to validate integration success when deployed via NwConsole by reviewing decoder capture statistics, confirming packet ingestion, aggregating data into the concentrator, and verifying events and metadata in the Investigate view.

Remove Palo Alto Prisma Integration Plugin

This section covers how to safely remove the Palo Alto Prisma integration from NetWitness®. It explains the steps required to delete CCM‑managed policies, remove plugin artifacts from decoder hosts, and clean up integration components depending on the deployment method used.

Troubleshooting NetWitness® SASE Deployment

This section explains common deployment and runtime issues encountered during NetWitness® SASE integration with Palo Alto Prisma. It covers authentication failures, file download errors, decryption issues, streaming failures, queue overflows, disk usage considerations, and recovery behaviors, providing guidance on identifying root causes and applying corrective actions to maintain stable and reliable data ingestion.