Focus

Tap Interfaces

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.1
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Configure Interfaces

Virtual Wire Interfaces

Tap Interfaces

A network tap is a device that provides a way to access data flowing across a computer network. Tap mode deployment allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror port.

The SPAN or mirror port permits the copying of traffic from other ports on the switch. By dedicating an interface on the firewall as a tap mode interface and connecting it with a switch SPAN port, the switch SPAN port provides the firewall with the mirrored traffic. This provides application visibility within the network without being in the flow of network traffic.

By deploying the firewall in tap mode, you can get visibility into what applications are running on your network without having to make any changes to your network design. In addition, when in tap mode, the firewall can also identify threats on your network. Keep in mind, however, because the traffic is not running through the firewall when in tap mode it cannot take any action on the traffic, such as blocking traffic with threats or applying QoS traffic control.

To configure a tap interface and begin monitoring the applications and threats on your network:

Decide which port you want to use as your tap interface and connect it to a switch configured with SPAN/RSPAN or port mirroring.

You will send your network traffic from the SPAN destination port through the firewall so you can have visibility into the applications and threats on your network.

From the firewall web interface, configure the interface you want to use as your network tap.

Select

Network

Interfaces

and select the interface that corresponds to the port you just cabled.

Select

Tap

as the

Interface Type

On the

Config

tab, expand the

Security Zone

and select

New Zone

In the Zone dialog, enter a

Name

for new zone, for example TapZone, and then click

(Optional) Create any forwarding profiles you want to use.

Configure Log Forwarding.

Configure Syslog Monitoring.

Create Security Profiles to scan your network traffic for threats:

Select

Objects

Security Profiles

For each security profile type,

Add

a new profile and set the action to

alert

Because the firewall is not inline with the traffic you cannot use any block or reset actions. By setting the action to alert, you will be able to see any threats the firewall detects in the logs and ACC.

Create a security policy rule to allow the traffic through the tap interface.

When creating a security policy rule for tap mode, both the source zone and destination zone must be the same.

Select

Policies

Security

and click

Add

In the

Source

tab, set the

Source Zone

to the TapZone you just created.

In the

Destination

tab, set the

Destination Zone

to the TapZone also.

Set the all of the rule match criteria (

Applications

User

Service

Address

) to

any

In the

Actions

tab, set the

Action Setting

Allow

Set

Profile Type

Profiles

and select each of the security profiles you created to alert you of threats.

Verify that

Log at Session End

is enabled.

Click

Place the rule at the top of your rulebase.

Commit

the configuration.

Monitor the firewall logs (

Monitor

Logs

) and the

ACC

for insight into the applications and threats on your network.

Configure Interfaces

Virtual Wire Interfaces

Next-Generation Firewall Docs

Tap Interfaces

Next-Generation Firewall Docs

Tap Interfaces

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner