Is it possible that a firewall configured in tap mode block traffic?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is it possible that a firewall configured in tap mode block traffic?

L3 Networker

Hi,

I have recently installed a pan device in TAP mode, with a port mirroring on a cisco switch that copy traffic to the tap interface. On the policy cofigured to allow all between TAP zone and TAP zone, i have configured default security profiles, specially url filtering profile that block some categories by default, so the question is, while beeing in tap mode, is it possible that the firewall actively participate in the traffic, by blocking some urls for example? I wanr also to know if the block action in url fiktering profiles is achived by a quiet drop of paquets or by a sending of TCP RST paquet?

Regards.

4 REPLIES 4

Not applicable

My understanding is that TAP mode is merely watching traffic without that abiliity to interfere with it (i.e..using rules to block /allow etc...). The PAN gurus can answer definitively, though.

L3 Networker

Not supported. you will have to be inline.

And what about block action in url filtering profile, is it a quite drop or a RST ?

You block the page with a standard or custom message page that essentially says "disallowed." Or you can use a  "continue" mechanism that indicates that the user understands they are supposed to go to the URL but can if they really want to but that the action is logged. Or you can override the request by having the user input an administrative password. Though this last item probably isn't really practical for production networks.

  • 4225 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!