Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

TAP:Specifying external interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

TAP:Specifying external interface

L1 Bithead

I'm working on a home lab, have an ESXi server with some UTM VMs running and I'd like to give them something interesting to look at. 

 

Following the online documentation (both in support and this: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Palo-Alto-Networks-De...

 

I can't seem to get anything other than internal traffic. 

 

The wild external traffic is on eth1, and the GUI for 7.1.4-h2 doesn't have anything that says 'tap this interface'.

 

What am I missing? 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

'tap' is an interface operational mode, creating a promiscuous interface that receives packets in a listening-only mode, any redirection toward this interface needs to be achieved via an external mechanism, like a SPAN port on a switch

 

if you don't want to interrupt your ongoing traffic, you'll need to create an additional interface, set it to tap mode, create zones and zone-to-zone security policy (allow policy), then add, on the esxi, the new interface to the same vswitch as your external interface, and set it to promiscuous mode

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

I'm a little confused on why you are tyring to setup a tap interface on a VM? Generally when you setup a TAP interface you would setup a SPAN port on the switch and then plug that into your actual TAP interface. Then you would create a security policy that just accepts and logs. I'm not sure if what you are trying to do is actually going to function as you think, but I have never had much need for a TAP interface so I could easily be wrong. 

It's a home lab without a managed switch. It just seemed easiest to keep everything virtual. 

 

I have a netgear managed switch in the toolbag I can wire into the mix, it just seemed like added hassle. (and it's backplane aggregate bandwidth is lower than what the cable modem can deliver.)

 

But I see your point, and it would avoid the PAN entirely. I just figured it had the functionality native, and ESXi had the ability to receive it, I could tap the traffic virtually, rather than in discrete hardware. 

Cyber Elite
Cyber Elite

'tap' is an interface operational mode, creating a promiscuous interface that receives packets in a listening-only mode, any redirection toward this interface needs to be achieved via an external mechanism, like a SPAN port on a switch

 

if you don't want to interrupt your ongoing traffic, you'll need to create an additional interface, set it to tap mode, create zones and zone-to-zone security policy (allow policy), then add, on the esxi, the new interface to the same vswitch as your external interface, and set it to promiscuous mode

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I ended up just throwing my switch upstream of the firewall and spanned ports from it. 

  • 1 accepted solution
  • 2971 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!