sorry for a dumb question but I am new to PaloAlto and I would like to understand the TAP mode on a physical PA firewall. We have Cisco Catalyst 6509 switch running in 1 of the offices as a core. PA firewall is used for users' internet traffic and it is directly connected on that switch. We need to find a way to mirror traffic going through inside interface on that PA firewall. Cisco is not recommending running a permanent SPAN port for monitoring (especially egress port), so I am curious if firewall can provide similar capability. In other words, is it possible to mirror inside interface on an extra firewall port? (1 direction is also fine). Is TAP mode exactly that or this is something different?
Solved! Go to Solution.
@dlavrichev We typically use TAP mode interfaces during evaluation with customers (SLR - Security Lifecycle Review), which is part of the Palo Alto sales process. By utilizing tap mode interfaces, the firewall can be connected to a core switch’s span port to identify applications running on the network. This option requires no changes to the existing network design. In this mode the firewall cannot block any traffic.
In situations like yours where the core switch either can't handle SPAN / Mirroring or TAP due to performance or any other issues, we typically recommend VWire, where the firewall is placed inline, and the traffic passes right through it, and the appliance is still able to identify applications and threats. Understand VWire as a bump in the wire.
In your case, your firewall is already in a L3 deployment, hence, traffic is already going through it without problems, which offsets the necessity of a TAP deployment.
My question to you is about what is the actual need for you to have one of the firewall interfaces in TAP mode since your device is already in a L3 mode?
in addition to @Willian 's great explanation: TAP mode is a 'promiscuous' sniffer state, used solely to suck in data and alalyze it in an out-of-band kind of fashion (everything is received, nothing is sent out)
There is one type of port that does function sort of like a SPAN port, but this is a specialist config used to forward decrypted traffic out. It's called a 'decrypt mirror' and is typically used for extended DLP
You may configure one or more decryption mirror ports
You may configure one or more decryption policies
You may configure one or more decryption profiles
Each decryption policy references _one_ decryption profile
Each decryption profile references _one_ decryption mirror port
It is possible to use multiple decryption mirror ports (at the same time) - but each mirror port will only have the decrypted traffic from its associated decryption profile (and subsequently, decrypt policy).
As of PAN-OS 8.1, you would need to use an intermediary switch if you need to replicate/duplicate all of the decrypted traffic to multiple Ethernet interfaces.
@Sanssj You are correct on both counts. For those two use-cases/requirements, you would need a network packet broker or a physical switch that supports one-to-many port mirroring capabilities.
Of course there's always the possibility that this changes in future PAN-OS releases, but this is the case as of PAN-OS 8.1.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!