Configure an interface as a network tap to monitor traffic flows across a
network.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
One of the following licenses when using Strata Cloud
Manager:
- Strata Cloud Manager Pro
- Strata Cloud Manager Essentials
|
A network tap is a device that provides a way to access data flowing across a
computer network. Tap mode deployment allows you to passively monitor traffic flows
across a network by way of a switch SPAN or mirror port.
The SPAN or mirror port permits the copying of traffic from other ports on the
switch. By dedicating an interface on the firewall as a tap mode interface and
connecting it with a switch SPAN port, the switch SPAN port provides the firewall
with the mirrored traffic. This provides application visibility within the network
without being in the flow of network traffic.
By deploying the firewall in tap mode, you can get visibility into what applications
are running on your network without having to make any changes to your network
design. In addition, when in tap mode, the firewall can also identify threats on
your network. Keep in mind, however, because the traffic is not running through the
firewall when in tap mode, it cannot take any action on the traffic, such as
blocking traffic with threats or applying QoS traffic control.
To configure a tap interface and begin monitoring the applications and threats on
your network:
Tap Interfaces (PAN-OS)
Procedure for configuring tap interfaces in PAN-OS & Panorama.
Decide which port you want to use as your tap interface and connect it to a
switch configured with SPAN/RSPAN or port mirroring.
You will send your network traffic from the SPAN destination port through the
firewall so you can have visibility into the applications and threats on
your network.
From the firewall web interface, configure the interface you want to use as
your network tap.
Select and select the interface that corresponds to the port you
just cabled.
Select
Tap as the
Interface
Type.
On the
Config tab, expand the
Security Zone and select
New
Zone.
In the Zone dialog, enter a
Name for new zone,
for example TapZone, and then click
OK.
(
Optional) Create any forwarding profiles you want to use.
Create
Security Profiles to scan your network
traffic for threats:
Select .
For each security profile type,
Add a new
profile and set the action to
alert.
Because the firewall is not inline with the traffic, you cannot use
any block or reset actions. By setting the action to alert, you will
be able to see any threats the firewall detects in the logs and
ACC.
Create a security policy rule to allow the traffic through the tap
interface.
When creating a security policy rule for tap mode, both the source zone and
destination zone must be the same.
Select and click
Add.
In the
Source tab, set the
Source
Zone to the TapZone you just created.
In the
Destination tab, set the
Destination Zone to the TapZone also.
Set the all of the rule match criteria
(
Applications,
User,
Service,
Address) to
any.
In the
Actions tab, set the
Action
Setting to
Allow.
Set
Profile Type to
Profiles and select each of the security
profiles you created to alert you of threats.
Verify that
Log at Session End is enabled.
Click
OK.
Place the rule at the top of your rulebase.
(
Supported firewalls only) If the interface corresponds to a PoE
(Power over Ethernet) port on the firewall, you can optionally
configure PoE.
Commit the configuration.
Monitor the firewall logs () and the ACC for insight into the
applications and threats on your network.
Tap Interfaces (SCM)
The procedure for configuring tap interfaces in Strata Cloud Manager.
Log in to
Strata Cloud Manager.
Select and select the context view where you want to create the tap
interface.
Select a firewall from the Config Tree or select
Snippets to configure the tap interface in a
snippet.
If you select a folder from the Config Tree or select
a snippet, you create a tap interface variable that must be assigned at the
device level.
Add the interface.
If you’re configuring a tap interface for a specific firewall, select the
interface you want to configure instead.
Configure the interface.
If you’re configuring an interface in the folder or snippet context, the
interface configuration is pushed only to firewalls that have the
corresponding interface slot available. For example, if you configure
Ethernet 1/5 in the folder context and the firewall associated with the
folder has only four interface slots, then the configuration isn’t pushed to
the firewall.
Select the interface
Slot.
Enter or Select the
Interface Name.
When you configure an interface for a specific firewall, the
Interface Name is fixed, such as
ethernet1/1 if you select Slot
1. The fixed interface names are dependent on the slot that you
selected in the previous step.
(
Folders and Snippets only) Select the
Default
Interface Assignment.
(
Optional) Enter a
Description.
For
Interface Type, select
Tap.
(
Folders and Snippets only; Recommended) Assign the interface
to a
Zone.
Create New to create a new zone.
Selecting an inherited zone overrides the previous settings and
removes any inherited objects. Any changes made to the global folder
are no longer inherited in a top-down manner. A message appears,
indicating that the interface settings will be overridden and the
inherited objects from the parent folder will be removed on all
firewalls. When you save your changes, a confirmation message
appears. If you confirm, the zone is overridden.
(
Optional) Configure the interface link settings.
Select the interface
Link Speed.
Auto is selected by default and allows the
firewall to determine the speed.
Select the interface
Link Duplex transmission
mode.
Auto is selected by default to allow the
firewall to negotiate the transmission mode automatically.
Select the interface
Link State.
Auto detect is selected by default to allow
the firewall to automatically determine the link state.
Save.
Push Config to push your configuration changes.
