Help understand TAP mode

L0 Member

Help understand TAP mode


sorry for a dumb question but I am new to PaloAlto and I would like to understand the TAP mode on a physical PA firewall. We have Cisco Catalyst 6509 switch running in 1 of the offices as a core. PA firewall is used for users' internet traffic and it is directly connected on that switch. We need to find a way to mirror traffic going through inside interface on that PA firewall. Cisco is not recommending running a permanent SPAN port for monitoring (especially egress port), so I am curious if firewall can provide similar capability. In other words, is it possible to mirror inside interface on an extra firewall port? (1 direction is also fine). Is TAP mode exactly that or this is something different?


Thank you!

L4 Transporter

Re: Help understand TAP mode

@dlavrichev We typically use TAP mode interfaces during evaluation with customers (SLR - Security Lifecycle Review), which is part of the Palo Alto sales process. By utilizing tap mode interfaces, the firewall can be connected to a core switch’s span port to identify applications running on the network. This option requires no changes to the existing network design. In this mode the firewall cannot block any traffic.


In situations like yours where the core switch either can't handle SPAN / Mirroring or TAP due to performance or any other issues, we typically recommend VWire, where the firewall is placed inline, and the traffic passes right through it, and the appliance is still able to identify applications and threats. Understand VWire as a bump in the wire.


In your case, your firewall is already in a L3 deployment, hence, traffic is already going through it without problems, which offsets the necessity of a TAP deployment.

Screen Shot 2017-06-02 at 11.24.59 AM.png


My question to you is about what is the actual need for you to have one of the firewall interfaces in TAP mode since your device is already in a L3 mode?




Tags (2)
Community Manager

Re: Help understand TAP mode

in addition to @Willian 's great explanation: TAP mode is a 'promiscuous' sniffer state, used solely to suck in data and alalyze it in an out-of-band kind of fashion (everything is received, nothing is sent out)


There is one type of port that does function sort of like a SPAN port, but this is a specialist config used to forward decrypted traffic out. It's called a 'decrypt mirror' and is typically used for extended DLP




Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: Help understand TAP mode

so @reaper can we able to span decrypted traffic to multiple decrypt mirror ports on the PA devices without the intervention of a physical switch. Or Is the FR ID 1307 is it still under consideration.

L7 Applicator

Re: Help understand TAP mode

You may configure one or more decryption mirror ports

You may configure one or more decryption policies

You may configure one or more decryption profiles


Each decryption policy references _one_ decryption profile

Each decryption profile references _one_ decryption mirror port


It is possible to use multiple decryption mirror ports (at the same time) - but each mirror port will only have the decrypted traffic from its associated decryption profile (and subsequently, decrypt policy).


As of PAN-OS 8.1, you would need to use an intermediary switch if you need to replicate/duplicate all of the decrypted traffic to multiple Ethernet interfaces.   

L2 Linker

Re: Help understand TAP mode

So, that was a perfect answer I was looking for @ jvalentine. So there isn't any feature to tie multiple decrypt ports in a decryption profile right. So there isn't any feature release to SPAN on the PA devices itself we need to have a network broker or a physical switch to SPAN right.
L7 Applicator

Re: Help understand TAP mode

@Sanssj You are correct on both counts.  For those two use-cases/requirements, you would need a network packet broker or a physical switch that supports one-to-many port mirroring capabilities.  


Of course there's always the possibility that this changes in future PAN-OS releases, but this is the case as of PAN-OS 8.1.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!