When you configure the TAP port, you must assign that port into a "Zone". When you create this zone, you must define it as a Zone to be used for TAP interfaces. (Call it anything you like, I typically use tapzone). When you use v-wire or L2 bridging, you will create a pair of zones (trust & untrust, inside & outside, etc.) that will also need to be defined as "v-wire" or "L2"-specific zones. In your security policy, you would then use 2 different rules: 1.) permit from tapzone to tapzone all apps, all ports, all content features, logging enabled 2.) permit from trust to untrust, specific app, application-default port, content features enabled, logging enabled, etc. Does that answer the question?
... View more