>
    Tap Interfaces
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Configure Interfaces
    4. Tap Interfaces
    Download PDF
    Next-Generation Firewall

    Tap Interfaces

    Table of Contents

    Tap Interfaces

    Configure an interface as a network tap to monitor traffic flows across a network.
    Where Can I Use This?What Do I Need?
    • NGFW
    One of the following licenses when using Strata Cloud Manager:
    • Strata Cloud Manager Pro
    • Strata Cloud Manager Essentials
    A network tap is a device that provides a way to access data flowing across a computer network. Tap mode deployment allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror port.
    The SPAN or mirror port permits the copying of traffic from other ports on the switch. By dedicating an interface on the firewall as a tap mode interface and connecting it with a switch SPAN port, the switch SPAN port provides the firewall with the mirrored traffic. This provides application visibility within the network without being in the flow of network traffic.
    By deploying the firewall in tap mode, you can get visibility into what applications are running on your network without having to make any changes to your network design. In addition, when in tap mode, the firewall can also identify threats on your network. Keep in mind, however, because the traffic is not running through the firewall when in tap mode, it cannot take any action on the traffic, such as blocking traffic with threats or applying QoS traffic control.
    To configure a tap interface and begin monitoring the applications and threats on your network:

    Tap Interfaces (PAN-OS)

    Procedure for configuring tap interfaces in PAN-OS & Panorama.
    1. Decide which port you want to use as your tap interface and connect it to a switch configured with SPAN/RSPAN or port mirroring.
      You will send your network traffic from the SPAN destination port through the firewall so you can have visibility into the applications and threats on your network.
    2. From the firewall web interface, configure the interface you want to use as your network tap.
      1. Select NetworkInterfaces and select the interface that corresponds to the port you just cabled.
      2. Select Tap as the Interface Type.
      3. On the Config tab, expand the Security Zone and select New Zone.
      4. In the Zone dialog, enter a Name for new zone, for example TapZone, and then click OK.
    3. (Optional) Create any forwarding profiles you want to use.
    4. Create Security Profiles to scan your network traffic for threats:
      1. Select ObjectsSecurity Profiles.
      2. For each security profile type, Add a new profile and set the action to alert.
        Because the firewall is not inline with the traffic, you cannot use any block or reset actions. By setting the action to alert, you will be able to see any threats the firewall detects in the logs and ACC.
    5. Create a security policy rule to allow the traffic through the tap interface.
      When creating a security policy rule for tap mode, both the source zone and destination zone must be the same.
      1. Select PoliciesSecurity and click Add.
      2. In the Source tab, set the Source Zone to the TapZone you just created.
      3. In the Destination tab, set the Destination Zone to the TapZone also.
      4. Set the all of the rule match criteria (Applications, User, Service, Address) to any.
      5. In the Actions tab, set the Action Setting to Allow.
      6. Set Profile Type to Profiles and select each of the security profiles you created to alert you of threats.
      7. Verify that Log at Session End is enabled.
      8. Click OK.
      9. Place the rule at the top of your rulebase.
    6. (Supported firewalls only) If the interface corresponds to a PoE (Power over Ethernet) port on the firewall, you can optionally configure PoE.
    7. Commit the configuration.
    8. Monitor the firewall logs (MonitorLogs) and the ACC for insight into the applications and threats on your network.

    Tap Interfaces (SCM)

    The procedure for configuring tap interfaces in Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsInterfacesEthernetConfigurationNGFW and Prisma AccessDevice SettingsInterfacesEthernet and select the context view where you want to create the tap interface.
      Select a firewall from the Config Tree or select Snippets to configure the tap interface in a snippet.
      If you select a folder from the Config Tree or select a snippet, you create a tap interface variable that must be assigned at the device level.
    3. Add the interface.
      If you’re configuring a tap interface for a specific firewall, select the interface you want to configure instead.
      • Folders and SnippetsAdd Interface and select Interface.
      • FirewallsAdd and Add Interface.
    4. Configure the interface.
      If you’re configuring an interface in the folder or snippet context, the interface configuration is pushed only to firewalls that have the corresponding interface slot available. For example, if you configure Ethernet 1/5 in the folder context and the firewall associated with the folder has only four interface slots, then the configuration isn’t pushed to the firewall.
      1. Select the interface Slot.
      2. Enter or Select the Interface Name.
        When you configure an interface for a specific firewall, the Interface Name is fixed, such as ethernet1/1 if you select Slot 1. The fixed interface names are dependent on the slot that you selected in the previous step.
      3. (Folders and Snippets only) Select the Default Interface Assignment.
      4. (Optional) Enter a Description.
      5. For Interface Type, select Tap.
      6. (Folders and Snippets only; Recommended) Assign the interface to a Zone.
        Create New to create a new zone.
        Selecting an inherited zone overrides the previous settings and removes any inherited objects. Any changes made to the global folder are no longer inherited in a top-down manner. A message appears, indicating that the interface settings will be overridden and the inherited objects from the parent folder will be removed on all firewalls. When you save your changes, a confirmation message appears. If you confirm, the zone is overridden.
    5. (Optional) Configure the interface link settings.
      1. Select the interface Link Speed.
        Auto is selected by default and allows the firewall to determine the speed.
      2. Select the interface Link Duplex transmission mode.
        Auto is selected by default to allow the firewall to negotiate the transmission mode automatically.
      3. Select the interface Link State.
        Auto detect is selected by default to allow the firewall to automatically determine the link state.
    6. Save.
    7. Push Config to push your configuration changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.