Ignite '17 edition, Jdelio's favorites Part 1

Community Team Member

There is no doubt that a lot of GREAT things were happening at Ignite'17. If you were not able to come, we all understand, but look forward to seeing you at another Ignite.


The Live Community booth was an exciting place to be. We met so many wonderful people and helped people #GetAnswers

For a peek into what it was like, If you missed this video on our front page, check out this small video.


Just like Kim (Kiwi) and Tom (Reaper) posted, I also have some of my favorite questions that I want to feature here. I will post the Question, the Posted Answer and My take on it.


What does a TAP interface do and how does it work?

Posted Answer

TAP interface is used to get a copy of all traffic across the designated port, any interface can be a TAP interface except management.

My Take

A network tap is a device that provides a way to access data flowing across a computer network. Tap mode deployment allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror port.
The SPAN or mirror port permits the copying of traffic from other ports on the switch. By dedicating an interface on the firewall as a tap mode interface and connecting it with a switch SPAN port, the switch SPAN port provides the firewall with the mirrored traffic. This provides application visibility within the network without being in the flow of network traffic.
NOTE: When deployed in tap mode, the firewall is not able to take action, such as block traffic or apply QoS traffic control.


See also Tom's blog on TAP interfaces here: https://live.paloaltonetworks.com/t5/Community-Blog/What-s-a-TAP-interface-and-what-can-it-do/ba-p/1...

For more information on setting up TAP interfaces, please see the Admin Guides:


Can I use GlobalProtect over SSL to avoid "VPN" detection by the Chinese government?

Posted Answer

Yes, GP only does full tunnelling. If you set up a gateway on a location outside your undesired location, your IP address will source from that location that's less restrictive. Allowing you acces and possibly avoiding detection (since you are using encrypted SSL traffic).

My Take

By default, when connecting to a GlobalProtect gateway, if IPSEC is unable to connect, it will attempt an SSL connection. This is configurable inside of the GlobalProtect gateway. Inside of Network > GlobalProtect > Gateways, select a gateway profile. Inside there, notice under the Tunnel Settings tab, there is an "Enable IPSec" option. 

2017-06-21_GP-SSL.pngGateway configuration showing the IPSEC option. Disable to force SSL connection.

This option is what controls whether IPSec will be used when connecting to GlobalProtect. If this is unchecked, then it will only use SSL. In the question, since IPSec traffic is going to be blocked on a Chinese network, but SSL traffic is allowed, then as long as you are always using SSL to connect, then the Chinese government will not see this traffic and you will still be able to VPN with GlobalProtect.

For more information on configuring GlobalProtect, please visit our NEW GlobalProtect portal page here:


Can I use Panorama as a management AND a logging device in one box?

Posted Answer

Yes, by default, Panorama can be setup as a log collector and still manage devices.

My Take

This is correct, it can be configured to be one or the other, or both.

For information on exactly how to configure Panorama to serve this dual purpose, please see the following article:

How to Configure an M-100 to Function as Both a Log Collector and Panorama


And a cute one for the last one. =)
What happened to the chicken who sucessfully crossed the road? :)

Posted Answer

He was properly secured!

My Take

What can you say to that? A great answer. He was also secured by Palo Alto Networks devices!


That's all for now folks! 


Please comment below if interested or Like this if you enjoy seeing/reading these.


Stay secure!

Joe Delio (jdelio)

Ask Questions Get Answers Join the Live Community