Help understand TAP mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Help understand TAP mode

L0 Member

Hello,

sorry for a dumb question but I am new to PaloAlto and I would like to understand the TAP mode on a physical PA firewall. We have Cisco Catalyst 6509 switch running in 1 of the offices as a core. PA firewall is used for users' internet traffic and it is directly connected on that switch. We need to find a way to mirror traffic going through inside interface on that PA firewall. Cisco is not recommending running a permanent SPAN port for monitoring (especially egress port), so I am curious if firewall can provide similar capability. In other words, is it possible to mirror inside interface on an extra firewall port? (1 direction is also fine). Is TAP mode exactly that or this is something different?

 

Thank you!

2 accepted solutions

Accepted Solutions

@dlavrichev We typically use TAP mode interfaces during evaluation with customers (SLR - Security Lifecycle Review), which is part of the Palo Alto sales process. By utilizing tap mode interfaces, the firewall can be connected to a core switch’s span port to identify applications running on the network. This option requires no changes to the existing network design. In this mode the firewall cannot block any traffic.

 

In situations like yours where the core switch either can't handle SPAN / Mirroring or TAP due to performance or any other issues, we typically recommend VWire, where the firewall is placed inline, and the traffic passes right through it, and the appliance is still able to identify applications and threats. Understand VWire as a bump in the wire.

 

In your case, your firewall is already in a L3 deployment, hence, traffic is already going through it without problems, which offsets the necessity of a TAP deployment.

Screen Shot 2017-06-02 at 11.24.59 AM.png

 

My question to you is about what is the actual need for you to have one of the firewall interfaces in TAP mode since your device is already in a L3 mode?

 

 

 

View solution in original post

Cyber Elite
Cyber Elite

in addition to @acc6d0b3610eec313831f7900fdbd235 's great explanation: TAP mode is a 'promiscuous' sniffer state, used solely to suck in data and alalyze it in an out-of-band kind of fashion (everything is received, nothing is sent out)

 

There is one type of port that does function sort of like a SPAN port, but this is a specialist config used to forward decrypted traffic out. It's called a 'decrypt mirror' and is typically used for extended DLP

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

6 REPLIES 6

@dlavrichev We typically use TAP mode interfaces during evaluation with customers (SLR - Security Lifecycle Review), which is part of the Palo Alto sales process. By utilizing tap mode interfaces, the firewall can be connected to a core switch’s span port to identify applications running on the network. This option requires no changes to the existing network design. In this mode the firewall cannot block any traffic.

 

In situations like yours where the core switch either can't handle SPAN / Mirroring or TAP due to performance or any other issues, we typically recommend VWire, where the firewall is placed inline, and the traffic passes right through it, and the appliance is still able to identify applications and threats. Understand VWire as a bump in the wire.

 

In your case, your firewall is already in a L3 deployment, hence, traffic is already going through it without problems, which offsets the necessity of a TAP deployment.

Screen Shot 2017-06-02 at 11.24.59 AM.png

 

My question to you is about what is the actual need for you to have one of the firewall interfaces in TAP mode since your device is already in a L3 mode?

 

 

 

Cyber Elite
Cyber Elite

in addition to @acc6d0b3610eec313831f7900fdbd235 's great explanation: TAP mode is a 'promiscuous' sniffer state, used solely to suck in data and alalyze it in an out-of-band kind of fashion (everything is received, nothing is sent out)

 

There is one type of port that does function sort of like a SPAN port, but this is a specialist config used to forward decrypted traffic out. It's called a 'decrypt mirror' and is typically used for extended DLP

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

so @reaper can we able to span decrypted traffic to multiple decrypt mirror ports on the PA devices without the intervention of a physical switch. Or Is the FR ID 1307 is it still under consideration.

-thx

You may configure one or more decryption mirror ports

You may configure one or more decryption policies

You may configure one or more decryption profiles

 

Each decryption policy references _one_ decryption profile

Each decryption profile references _one_ decryption mirror port

 

It is possible to use multiple decryption mirror ports (at the same time) - but each mirror port will only have the decrypted traffic from its associated decryption profile (and subsequently, decrypt policy).  

 

 

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/configure-decryption-port...

 

As of PAN-OS 8.1, you would need to use an intermediary switch if you need to replicate/duplicate all of the decrypted traffic to multiple Ethernet interfaces.   

So, that was a perfect answer I was looking for @ jvalentine. So there isn't any feature to tie multiple decrypt ports in a decryption profile right. So there isn't any feature release to SPAN on the PA devices itself we need to have a network broker or a physical switch to SPAN right.
Thx

@Sanssj You are correct on both counts.  For those two use-cases/requirements, you would need a network packet broker or a physical switch that supports one-to-many port mirroring capabilities.  

 

Of course there's always the possibility that this changes in future PAN-OS releases, but this is the case as of PAN-OS 8.1.  

  • 2 accepted solutions
  • 11839 Views
  • 6 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!