Focus

Next-Generation Firewall

Tap Interfaces (PAN-OS)

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Tap Interfaces (PAN-OS)

Procedure for configuring tap interfaces in PAN-OS & Panorama.

Decide which port you want to use as your tap interface and connect it to a switch configured with SPAN/RSPAN or port mirroring.

You will send your network traffic from the SPAN destination port through the firewall so you can have visibility into the applications and threats on your network.
From the firewall web interface, configure the interface you want to use as your network tap.
1. Select NetworkInterfaces and select the interface that corresponds to the port you just cabled.
2. Select Tap as the Interface Type.
3. On the Config tab, expand the Security Zone and select New Zone.
4. In the Zone dialog, enter a Name for new zone, for example TapZone, and then click OK.
(Optional) Create any forwarding profiles you want to use.
- Configure Log Forwarding.
- Configure Syslog Monitoring.
Create Security Profiles to scan your network traffic for threats:
1. Select ObjectsSecurity Profiles.
2. For each security profile type, Add a new profile and set the action to alert.
  
  Because the firewall is not inline with the traffic, you cannot use any block or reset actions. By setting the action to alert, you will be able to see any threats the firewall detects in the logs and ACC.
Create a security policy rule to allow the traffic through the tap interface.

When creating a security policy rule for tap mode, both the source zone and destination zone must be the same.
1. Select PoliciesSecurity and click Add.
2. In the Source tab, set the Source Zone to the TapZone you just created.
3. In the Destination tab, set the Destination Zone to the TapZone also.
4. Set the all of the rule match criteria (Applications, User, Service, Address) to any.
5. In the Actions tab, set the Action Setting to Allow.
6. Set Profile Type to Profiles and select each of the security profiles you created to alert you of threats.
7. Verify that Log at Session End is enabled.
8. Click OK.
9. Place the rule at the top of your rulebase.
(Supported firewalls only) If the interface corresponds to a PoE (Power over Ethernet) port on the firewall, you can optionally configure PoE.
Commit the configuration.
Monitor the firewall logs (MonitorLogs) and the ACC for insight into the applications and threats on your network.

Next-Generation Firewall Docs

Tap Interfaces (PAN-OS)

Next-Generation Firewall Docs

Tap Interfaces (PAN-OS)

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner