I have my PA's looking at TAP from my switches and also L3. My thought was to look at traffic that wasn't being routed.
But I was thinking what happens to my TAP traffic if I have a policy that allow traffic from zone staff so a L3, but the PA also see the packet on the TAP interface, that policy will not apply and that packet will get caught by the catch all which will dissallow it, will the PA send a reset or will it associate with current session.
Should I just have a rule at the top that allows all tap traffic but does inspection of it - basically I am looking for malware and intrustrution stuff ?
The Palo Alto Networks firewall is a zone based firewall, this means that zones are paramount: if your TAP interface has been properly configured, it will have it's own zone, it will therefore have a completely different session than the session passing through your L3
(even if the tap was improperly configured, the session is still intrazone, so still different from the actual L3)
So anything seen on the tap, will not interfere with anything passing through or being blocked on the L3. It is completely standalone
Also: a TAP interface is passive, so when if it detects a threat it will not send RST or take action in any way
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!