How to Configure a Palo Alto Networks Device for Tap Mode Operation
73716
Created On 09/25/18 18:01 PM - Last Modified 11/20/24 18:27 PM
Symptom
This article details how to set up a PANW Firewall for Tap Mode Configuration
Environment
- NGFW
- Any PAN-OS
Resolution
The factory default configuration places e1/1 and e1/2 into a virtual wire. Keep this configuration and configure e1/3 as Tap mode.
- Go to Network tab > Zones. Create a new zone, zone type of Tap. give it a name (example, tapzone, intranetzone, etc).
- Go to Network > Interfaces. Select the interface to be configured for Tap.
In this example, e1/1 is used. Edit the interface and change the type to Tap. Then, assign the zone created in Step 1.
- Go to Policies > Security Rules, then create a single rule and select the zone created in Step 1 for the source and destination zone.
- Name = TAP_Allow
- Source zone = Tap_Zone
- Destination zone = Tap_Zone
- Rule: any any any any any action = allow
- For example: Optionally, create a threat profile (antivirus, spyware, etc.) and assign it to the rule:
Additional Information
NOTE: It is not recommended to send both production traffic and TAP traffic through the same firewall. This can result in severe performance impact to the production traffic. We recommend that you send TAP traffic onto a firewall that DOES NOT have production traffic going through it.