topic Re: Help understand TAP mode in General Topics

Help understand TAP mode

dlavrichev — Fri, 02 Jun 2017 18:04:55 GMT

Hello,

sorry for a dumb question but I am new to PaloAlto and I would like to understand the TAP mode on a physical PA firewall. We have Cisco Catalyst 6509 switch running in 1 of the offices as a core. PA firewall is used for users' internet traffic and it is directly connected on that switch. We need to find a way to mirror traffic going through inside interface on that PA firewall. Cisco is not recommending running a permanent SPAN port for monitoring (especially egress port), so I am curious if firewall can provide similar capability. In other words, is it possible to mirror inside interface on an extra firewall port? (1 direction is also fine). Is TAP mode exactly that or this is something different?

Thank you!

Re: Help understand TAP mode

acc6d0b3610eec313831f7900fdbd235 — Fri, 02 Jun 2017 18:28:53 GMT

@dlavrichev We typically use TAP mode interfaces during evaluation with customers (SLR - Security Lifecycle Review), which is part of the Palo Alto sales process. By utilizing tap mode interfaces, the firewall can be connected to a core switch’s span port to identify applications running on the network. This option requires no changes to the existing network design. In this mode the firewall cannot block any traffic.

In situations like yours where the core switch either can't handle SPAN / Mirroring or TAP due to performance or any other issues, we typically recommend VWire, where the firewall is placed inline, and the traffic passes right through it, and the appliance is still able to identify applications and threats. Understand VWire as a bump in the wire.

In your case, your firewall is already in a L3 deployment, hence, traffic is already going through it without problems, which offsets the necessity of a TAP deployment.

My question to you is about what is the actual need for you to have one of the firewall interfaces in TAP mode since your device is already in a L3 mode?

Re: Help understand TAP mode

reaper — Tue, 06 Jun 2017 07:45:27 GMT

in addition to @acc6d0b3610eec313831f7900fdbd235 's great explanation: TAP mode is a 'promiscuous' sniffer state, used solely to suck in data and alalyze it in an out-of-band kind of fashion (everything is received, nothing is sent out)

There is one type of port that does function sort of like a SPAN port, but this is a specialist config used to forward decrypted traffic out. It's called a 'decrypt mirror' and is typically used for extended DLP

Re: Help understand TAP mode

Sanssj — Mon, 02 Jul 2018 21:43:22 GMT

so @reaper can we able to span decrypted traffic to multiple decrypt mirror ports on the PA devices without the intervention of a physical switch. Or Is the FR ID 1307 is it still under consideration.

-thx

Re: Help understand TAP mode

jvalentine — Mon, 02 Jul 2018 21:56:28 GMT

You may configure one or more decryption mirror ports

You may configure one or more decryption policies

You may configure one or more decryption profiles

Each decryption policy references _one_ decryption profile

Each decryption profile references _one_ decryption mirror port

It is possible to use multiple decryption mirror ports (at the same time) - but each mirror port will only have the decrypted traffic from its associated decryption profile (and subsequently, decrypt policy).

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/configure-decryption-port-mirroring#id48f6bc3a-c03c-414b-8759-126567761692

As of PAN-OS 8.1, you would need to use an intermediary switch if you need to replicate/duplicate all of the decrypted traffic to multiple Ethernet interfaces.

Re: Help understand TAP mode

Sanssj — Mon, 02 Jul 2018 22:25:39 GMT

So, that was a perfect answer I was looking for @ jvalentine. So there isn't any feature to tie multiple decrypt ports in a decryption profile right. So there isn't any feature release to SPAN on the PA devices itself we need to have a network broker or a physical switch to SPAN right.
Thx

Re: Help understand TAP mode

jvalentine — Thu, 05 Jul 2018 15:58:36 GMT

@Sanssj You are correct on both counts. For those two use-cases/requirements, you would need a network packet broker or a physical switch that supports one-to-many port mirroring capabilities.

Of course there's always the possibility that this changes in future PAN-OS releases, but this is the case as of PAN-OS 8.1.