1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Networking
    5. Configure Interfaces
    6. Tap Interfaces

    Tap Interfaces

    A network tap is a device that provides a way to access data flowing across a computer network. Tap mode deployment allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror port.
    The SPAN or mirror port permits the copying of traffic from other ports on the switch. By dedicating an interface on the firewall as a tap mode interface and connecting it with a switch SPAN port, the switch SPAN port provides the firewall with the mirrored traffic. This provides application visibility within the network without being in the flow of network traffic.
    By deploying the firewall in tap mode, you can get visibility into what applications are running on your network without having to make any changes to your network design. In addition, when in tap mode, the firewall can also identify threats on your network. Keep in mind, however, because the traffic is not running through the firewall when in tap mode it cannot take any action on the traffic, such as blocking traffic with threats or applying QoS traffic control.
    To configure a tap interface and begin monitoring the applications and threats on your network:
    1. Decide which port you want to use as your tap interface and connect it to a switch configured with SPAN/RSPAN or port mirroring.
      You will send your network traffic from the SPAN destination port through the firewall so you can have visibility into the applications and threats on your network.
    2. From the firewall web interface, configure the interface you want to use as your network tap.
      1. Select NetworkInterfaces and select the interface that corresponds to the port you just cabled.
      2. Select Tap as the Interface Type.
      3. On the Config tab, expand the Security Zone and select New Zone.
      4. In the Zone dialog, enter a Name for new zone, for example TapZone, and then click OK.
    3. (Optional) Create any forwarding profiles you want to use.
    4. Create Security Profiles to scan your network traffic for threats:
      1. Select ObjectsSecurity Profiles.
      2. For each security profile type, Add a new profile and set the action to alert.
        Because the firewall is not inline with the traffic you cannot use any block or reset actions. By setting the action to alert, you will be able to see any threats the firewall detects in the logs and ACC.
    5. Create a security policy rule to allow the traffic through the tap interface.
      When creating a security policy rule for tap mode, both the source zone and destination zone must be the same.
      1. Select PoliciesSecurity and click Add.
      2. In the Source tab, set the Source Zone to the TapZone you just created.
      3. In the Destination tab, set the Destination Zone to the TapZone also.
      4. Set the all of the rule match criteria (Applications, User, Service, Address) to any.
      5. In the Actions tab, set the Action Setting to Allow.
      6. Set Profile Type to Profiles and select each of the security profiles you created to alert you of threats.
      7. Verify that Log at Session End is enabled.
      8. Click OK.
      9. Place the rule at the top of your rulebase.
    6. Commit the configuration.
    7. Monitor the firewall logs (MonitorLogs) and the ACC for insight into the applications and threats on your network.

    Related Documentation

    Tap Interface

    Tap Interface Network > Interfaces > Ethernet You can use a tap interface to monitor traffic on a port. To configure a tap interface, click ...

    Configure SSL Inbound Inspection

    SSL Inbound Inspection decryption enables the firewall to see potential threats in inbound encrypted traffic destined for your servers and apply security protections against those ...

    Common Building Blocks for Firewall Interfaces

    Common Building Blocks for Firewall Interfaces Select Network Interfaces to display and configure the components that are common to most interface types. For a description ...

    Configure Interfaces

    Configure Interfaces A Palo Alto Networks next-generation firewall can operate in multiple deployments at once because the deployments occur at the interface level. For example, ...

    Configure QoS for a Virtual System

    Configure QoS for a Virtual System QoS can be configured for a single or several virtual systems configured on a Palo Alto Networks firewall. Because ...

    Building Blocks of Security Zones

    Building Blocks of Security Zones To define a security zone, click Add and specify the following information. Security Zone Settings Description Name Enter a zone ...

    Configure Decryption Port Mirroring

    Where permitted by law, you can decrypt traffic and send the cleartext (unencrypted) traffic to a device that can archive and analyze the traffic. ...

    Set Up Antivirus, Anti-Spyware, and Vulnerability Protectio...

    Set Up Antivirus, Anti-Spyware, and Vulnerability Protection Every Palo Alto Networks next-generation firewall comes with predefined Antivirus , Anti-Spyware , and Vulnerability Protection profiles that ...

    Known Issues Related to PAN-OS 9.0

    List of known issues in the PAN-OS® 9.0 release. ...

    Create a Decryption Policy Rule

    Decryption policy rules granularly define the traffic to decrypt or not to decrypt based on the source, destination, service (application port), and URL Category. ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo