Tap Interfaces
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Tap Interfaces
A network tap is a device that provides a
way to access data flowing across a computer network. Tap mode deployment
allows you to passively monitor traffic flows across a network by
way of a switch SPAN or mirror port.
The SPAN or mirror port
permits the copying of traffic from other ports on the switch. By
dedicating an interface on the firewall as a tap mode interface
and connecting it with a switch SPAN port, the switch SPAN port
provides the firewall with the mirrored traffic. This provides application
visibility within the network without being in the flow of network
traffic.
By deploying the firewall in tap mode, you can get
visibility into what applications are running on your network without
having to make any changes to your network design. In addition,
when in tap mode, the firewall can also identify threats on your
network. Keep in mind, however, because the traffic is not running
through the firewall when in tap mode it cannot take any action
on the traffic, such as blocking traffic with threats or applying
QoS traffic control.
To configure a tap interface and begin
monitoring the applications and threats on your network:
- Decide which port you want to use as your tap interface and connect it to a switch configured with SPAN/RSPAN or port mirroring.You will send your network traffic from the SPAN destination port through the firewall so you can have visibility into the applications and threats on your network.
- From the firewall web interface, configure the interface you want to use as your network tap.
- Selectand select the interface that corresponds to the port you just cabled.NetworkInterfaces
- SelectTapas theInterface Type.
- On theConfigtab, expand theSecurity Zoneand selectNew Zone.
- In the Zone dialog, enter aNamefor new zone, for example TapZone, and then clickOK.
- (Optional)Create any forwarding profiles you want to use.
- Create Security Profiles to scan your network traffic for threats:
- Select.ObjectsSecurity Profiles
- For each security profile type,Adda new profile and set the action toalert.Because the firewall is not inline with the traffic you cannot use any block or reset actions. By setting the action to alert, you will be able to see any threats the firewall detects in the logs and ACC.
- Create a security policy rule to allow the traffic through the tap interface.When creating a security policy rule for tap mode, both the source zone and destination zone must be the same.
- Selectand clickPoliciesSecurityAdd.
- In theSourcetab, set theSource Zoneto the TapZone you just created.
- In theDestinationtab, set theDestination Zoneto the TapZone also.
- Set the all of the rule match criteria (Applications,User,Service,Address) toany.
- In theActionstab, set theAction SettingtoAllow.
- SetProfile TypetoProfilesand select each of the security profiles you created to alert you of threats.
- Verify thatLog at Session Endis enabled.
- ClickOK.
- Place the rule at the top of your rulebase.
- Committhe configuration.
- Monitor the firewall logs () and theMonitorLogsACCfor insight into the applications and threats on your network.