topic Re: TAP:Specifying external interface in General Topics

TAP:Specifying external interface

Sniglet999 — Fri, 14 Apr 2017 12:08:59 GMT

I'm working on a home lab, have an ESXi server with some UTM VMs running and I'd like to give them something interesting to look at.

Following the online documentation (both in support and this: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-Device-for-Tap-Mode/ta-p/59438)

I can't seem to get anything other than internal traffic.

The wild external traffic is on eth1, and the GUI for 7.1.4-h2 doesn't have anything that says 'tap this interface'.

What am I missing?

Re: TAP:Specifying external interface

BPry — Fri, 14 Apr 2017 13:25:58 GMT

I'm a little confused on why you are tyring to setup a tap interface on a VM? Generally when you setup a TAP interface you would setup a SPAN port on the switch and then plug that into your actual TAP interface. Then you would create a security policy that just accepts and logs. I'm not sure if what you are trying to do is actually going to function as you think, but I have never had much need for a TAP interface so I could easily be wrong.

Re: TAP:Specifying external interface

Sniglet999 — Sun, 16 Apr 2017 17:24:22 GMT

It's a home lab without a managed switch. It just seemed easiest to keep everything virtual.

I have a netgear managed switch in the toolbag I can wire into the mix, it just seemed like added hassle. (and it's backplane aggregate bandwidth is lower than what the cable modem can deliver.)

But I see your point, and it would avoid the PAN entirely. I just figured it had the functionality native, and ESXi had the ability to receive it, I could tap the traffic virtually, rather than in discrete hardware.

Re: TAP:Specifying external interface

reaper — Tue, 18 Apr 2017 14:19:06 GMT

'tap' is an interface operational mode, creating a promiscuous interface that receives packets in a listening-only mode, any redirection toward this interface needs to be achieved via an external mechanism, like a SPAN port on a switch

if you don't want to interrupt your ongoing traffic, you'll need to create an additional interface, set it to tap mode, create zones and zone-to-zone security policy (allow policy), then add, on the esxi, the new interface to the same vswitch as your external interface, and set it to promiscuous mode

Re: TAP:Specifying external interface

Sniglet999 — Thu, 20 Apr 2017 01:23:14 GMT

I ended up just throwing my switch upstream of the firewall and spanned ports from it.