Lost Newbie - TAP Interface


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Not applicable

Lost Newbie - TAP Interface

We bought a PA-500 just to start kicking the tires. I was ready to see a Juniper style GUI but was quickly lost in the PA Interface. Here is what I am looking to do, maybe someone can give me a quick list of configuration steps.

All we want to do is to see the traffic for now. It would be nice if we could do the LDAP Integration to see who is doing what.

I want to use a TAP Interface. I already have a mirrored interface of a firewall that I would like to use.

I want 1 interface to manage the Box, I'm assuming I can just use the MGMT Interface for this. (duh)

I may in the future want an interface to inject TCP-Resets for traffic we dont like.

What do I need to set up? Do I need to setup new zones, virtual routers, etc ?


L4 Transporter

Doc to get you started

https://live.paloaltonetworks.com/docs/DOC-1445- For LDAP

You use the dedicated mgt interface for OOB. In order to send TCP resets, you will have to deploy in either vwire/l2/l3 mode

L4 Transporter

> I want to use a TAP Interface. I already have a mirrored interface of  a firewall that I would like to use.

This part is easy.  Under the Device Tab, click on one of the interfaces and another window will pop up allowing you to define what type of interface it is.  In the first drop down box select "Tap" and then at the bottom select a zone.  I recommend clicking the "New" link and creating a new zone called "Tapzone."  Hit OK on that page and you're set for the zone, OK on the prior page and you've created your tap port.  Now hit Commit in the top right corner to make your changes active.  Also, you may want to make a security policy (Policies Tab).  Just create a new policy from Tapzone to Tapzone allowing all.  You can create profiles here to alert on all URL's, vulnerabilities, viruses so you can generate more log entries and see more logs there, too.

> I want 1 interface to manage the Box, I'm assuming I can just use the  MGMT Interface for this.

Yes, that's it.  By default the IP address of the device is, but to change this, you can console in, type "configure" at the first prompt and you will be in configuration mode.  Use the following CLI command to make your changes:

> set deviceconfig system ip-address netmask default-gateway dns-primary ntp-server-1

> commit

I'll defer to others on the LDAP nd TCP reset stuff (I think someone already replied), but if not, check out the admin guide on that, there's some good info there.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!