A network tap is a device that provides a
way to access data flowing across a computer network. Tap mode deployment
allows you to passively monitor traffic flows across a network by
way of a switch SPAN or mirror port.
The SPAN or mirror port
permits the copying of traffic from other ports on the switch. By
dedicating an interface on the firewall as a tap mode interface
and connecting it with a switch SPAN port, the switch SPAN port
provides the firewall with the mirrored traffic. This provides application
visibility within the network without being in the flow of network
By deploying the firewall in tap mode, you can get
visibility into what applications are running on your network without
having to make any changes to your network design. In addition,
when in tap mode, the firewall can also identify threats on your
network. Keep in mind, however, because the traffic is not running
through the firewall when in tap mode it cannot take any action
on the traffic, such as blocking traffic with threats or applying
QoS traffic control.
To configure a tap interface and begin
monitoring the applications and threats on your network:
Decide which port you want
to use as your tap interface and connect it to a switch configured
with SPAN/RSPAN or port mirroring.
You will send your network traffic from the SPAN destination
port through the firewall so you can have visibility into the applications
and threats on your network.
From the firewall web interface, configure the interface.
and select the interface
that corresponds to the port you just cabled.
Because the firewall is not inline with the traffic you
cannot use any block or reset actions. By setting the action to
alert, you will be able to see any threats the firewall detects
in the logs and ACC.
Create a security policy rule to allow the traffic through
the tap interface.
When creating a security policy rule for tap mode, both
the source zone and destination zone must be the same.
tab, set the
to the TapZone you just created.
to the TapZone also.
Set the all of the rule match criteria (
tab, set the
select each of the security profiles you created to alert you of threats.
Log at Session End
Place the rule at the top of your rulebase.
Monitor the firewall logs (
) and the
into the applications and threats on your network.