03-20-2018 03:38 PM
Hello
I just need a confirmation if i can configure a TAP interface + 2 bridges interfaces, and make 2 policy rules, one for TAP and the second for the bridge, in order to generate logs for TAP and bridge traffic at once, that is possible?
Thanks
03-20-2018 04:20 PM
When you configure the TAP port, you must assign that port into a "Zone". When you create this zone, you must define it as a Zone to be used for TAP interfaces. (Call it anything you like, I typically use tapzone).
When you use v-wire or L2 bridging, you will create a pair of zones (trust & untrust, inside & outside, etc.) that will also need to be defined as "v-wire" or "L2"-specific zones.
In your security policy, you would then use 2 different rules:
1.) permit from tapzone to tapzone all apps, all ports, all content features, logging enabled
2.) permit from trust to untrust, specific app, application-default port, content features enabled, logging enabled, etc.
Does that answer the question?
03-20-2018 04:20 PM
When you configure the TAP port, you must assign that port into a "Zone". When you create this zone, you must define it as a Zone to be used for TAP interfaces. (Call it anything you like, I typically use tapzone).
When you use v-wire or L2 bridging, you will create a pair of zones (trust & untrust, inside & outside, etc.) that will also need to be defined as "v-wire" or "L2"-specific zones.
In your security policy, you would then use 2 different rules:
1.) permit from tapzone to tapzone all apps, all ports, all content features, logging enabled
2.) permit from trust to untrust, specific app, application-default port, content features enabled, logging enabled, etc.
Does that answer the question?
03-20-2018 04:31 PM
ok that mean i can configure the PA for TAP and bridge mode at once, ok that was very helpful i thank you very very much.
NB:(for bridge mode i think also i can use one ZONE layer2 for exmple)
03-20-2018 04:38 PM
Each interface can be configured to support a specific mode. You may select one mode per interface (and sometimes, per sub-interface). For your configuration, you would need 1 port for TAP mode, and then use other ports for other modes (such as L2, L3, v-wire, HA, etc.)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
