What's a TAP interface and what can it do?

Community Manager

Each environment comes with its own challenges, but for every challenge there's an equally interesting solution.

 

New community member @dlavrichev posted an interesting question regarding TAP interfaces.

tap interface.png

 

Veteran community member @Willian pointed out a tap interface is often deployed during evaluations in a plug-in type of model:

tap mode diag.png

 

So how can a TAP mode benefit you and what can it be used for?

 

A TAP interface works like a wiretap: it listens for packets and tries to analyse what is going on.

First, a switch port needs to be set in SPAN mode so it copies all packets it passes to another interface. On a Cisco switch that could look like this:

PAN_CORE#sh conf | incl monitor
monitor session 1 source interface Gi6/26
monitor session 1 destination interface Gi6/12
PAN_CORE#

**different switches use different commands, on Juniper 'analyzer' is used,
other cisco switches may use 'snoop' and so on, please check with your switch
vendor for exact information on setting up a SPAN port

The switch will now send all packets passed through interface Gi6/26 out of Gi6/12 also. A TAP interface connected to this switch port will be able to see all packets, but will not be able (nor will it try) to participate.

 

The interface needs to be set to tap mode and needs to be configured with a tap zone:

tap interface.pngTap interface

tap zone.pngTap zone

The zone can be configured just like every other zone with user identification enabled and even zone protection profiles associated to it to detect and report Reconnaissance attacks or SYN floods for example.

Lastly a security policy needs to be configured with source and destination zones set to the tap zone, and any security profiles that may be of interest.

The policy needs to be set to allow so packets are not immediately discarded and sessions can be built:

 

tap policy.pngTap policy

 

Once the configuration has been committed, the tap interface will start discarding packets, since it is not able to participate, but it will analyze all packets, build sessions and apply AppID and ContentID inspection.

 

admin@myNGFW(active)> show counter global filter delta yes packet-filter yes

Global counters:
Elapsed time since last sampling: 373.341 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
flow_fwd_tap_drop                         44        0 drop      flow      forward   Packets dropped: Tap interface
--------------------------------------------------------------------------------
Total counters shown: 1
--------------------------------------------------------------------------------

It could take a few minutes before the tap interface 'kicks in' as it will first see sessions in progress which may not be usable for layer7 inspection but after a while more counters, indicating layer7 inspection, will start to appear and sessions will become visible:

 

 

admin@myNGFW(active)> show counter global filter delta yes packet-filter yes

Global counters:
Elapsed time since last sampling: 21.431 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
pkt_outstanding                            1        0 info      packet    pktproc   Outstanding packet to be transmitted
pkt_alloc                                 16        0 info      packet    resource  Packets allocated
session_allocated                          8        0 info      session   resource  Sessions allocated
session_installed                          8        0 info      session   resource  Sessions installed
flow_tcp_non_syn                           2        0 info      flow      session   Non-SYN TCP packets without session match
flow_tcp_non_syn_drop                      2        0 drop      flow      session   Packets dropped: non-SYN TCP without session match
flow_fwd_tap_drop                         13        0 drop      flow      forward   Packets dropped: Tap interface
flow_dos_syncookie_cookie_sent             1        0 info      flow      dos       TCP SYN cookies: cookies sent, aggregate profile/zone
appid_ident_by_icmp                        3        0 info      appid     pktproc   Application identified by icmp type
appid_proc                                 5        0 info      appid     pktproc   The number of packets processed by Application identifi
cation
dfa_sw                                     6        0 info      dfa       pktproc   The total number of dfa match using software
fpga_request                               8        0 info      fpga      offload   The outstanding requests to FPGA
aho_fpga                                   8        0 info      aho       resource  The total requests to FPGA for AHO
aho_fpga_data                           1940       90 info      aho       resource  The total data size to FPGA for AHO
ctd_process                                8        0 info      ctd       pktproc   session processed by ctd
ctd_pkt_slowpath                          11        0 info      ctd       pktproc   Packets processed by slowpath
--------------------------------------------------------------------------------
Total counters shown: 16
--------------------------------------------------------------------------------

admin@myNGFW(active)> show session all filter rule 'tap mode'

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
2233         dns            ACTIVE  FLOW       10.192.16.164[11716]/tap/17  (10.192.16.164[11716])
vsys1                                          8.8.8.8[53]/tap  (8.8.8.8[53])
2240         ping           ACTIVE  FLOW       10.192.16.21[768]/tap/1  (10.192.16.21[768])
vsys1                                          10.192.16.164[5179]/tap  (10.192.16.164[5179])
2230         dns            ACTIVE  FLOW       10.192.16.164[64646]/tap/17  (10.192.16.164[64646])
vsys1                                          8.8.8.8[53]/tap  (8.8.8.8[53])
2231         dns            ACTIVE  FLOW       10.192.16.164[61368]/tap/17  (10.192.16.164[61368])
vsys1                                          8.8.8.8[53]/tap  (8.8.8.8[53])

 

And sessions will become visible in the logs, where possible UserID has been applied:

tap monitor traffic log.pngTap sessions captured in logs

With this information in your pocket, you're now able to install a listening device in a network in a passive listening state, allowing for full reporting and analysis of potential threats without needing to put the device inline just yet. This can be helpful during troubleshooting or convincing management you need a firewall for a specific network segment.  ;)

 

 

Hope you enjoyed this information, feel free to comment or ask questions below!

Reaper out

22,626 Views
Ask Questions Get Answers Join the Live Community
Labels