Idea to use Palo Alto for IDS replacement

L3 Networker

Well the standard setup 

Core 6500 series that connects firewall, IDS sensor, etc...

Palo Alto has different zones for internal for different services and external zones as well.

Palo Alto L3 interfaces and sub-interfaces 


New setup Idea nexus 9000 with ACI

Palo Alto no changes 

since ACI does not does support SPAN or RSPAN which is use for the IDS sensor. 



L5 Sessionator

If PA is in L3 mode then it will see only traffic travelling between networks configured on that FW.

Local traffic within same broadcast domain will never reach FW. You would need SPAN/TAP ports for that.


L3 Networker


Span option is not going to be a option in the new upgrade, only L3 is going to be a option.


L4 Transporter

@AdamCoombsWe have all of the Palo Alto logs syslogging to our SIEM.  In our SIEM, we have created rules to fire off an email alert and/or generate an "offense" based on what is in the syslog payload.

L5 Sessionator


The problem in this case is getting the traffic to the PA first. PA can do a great job analysing the traffic it sees.

L5 Sessionator


Traffic between 2 PCs within same broadcast domain pases only through a pair of layer 2 ports on switch (if we simplify things a bit).

Options to see this traffic are:

- mirror port (which is not an option in your case),

- inline pair of ports for each host on network (which is not realistic),

- some endpoint client on these PCs (with host IPS functionality)



L3 Networker

Santonic we already use HIPS on the pc too

Well best idea so far is to create a zone that is for PC so that anything that tries to cross over to any other zones will be caught. 

I am still going to look into a IDS system that supports L3 inspection tap 

Thank you all for the help with this.

If anyone knows of product or service palo alto offers like this please let me know 

L5 Sessionator

You know the source where the scans are coming for? You have designated scanners? Then yeah, put them in seperate network and you will see their traffic and alerts.

I thougth the idea was to monitor your network for users which might be doing some unwanted scans.


So far I never heard about possibility of redirecting mirror traffic to a L3 tap. Nor about such devices.


There is another family of devices tho, called netwrok taps. Basically you put them in your network on interesting traffic paths and mirror that traffic to some device which can analyze the traffic. Either for troubleshooting or security checks.

Basically a TAP is a 3 port device; 2 ports are inline segment where you direct your traffic through. 3rd port is a port where all that traffic from inline ports is mirrored to. That 3rd port can then be connected to a PA TAP port. Of course these network taps are scaled and sized by throughput, number of ports... etc




L3 Networker

You are right, idea was to monitor the network for users which be doing some unwanted scans. 

So that is why I came up with the idea of different zones with vulnerability profile.

We looking into network taps devices, one is from cisco that works with ACI program that we will be getting. 

Thank you Santonic 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!