How to Configure a Palo Alto Networks Device for Tap Mode Operation

How to Configure a Palo Alto Networks Device for Tap Mode Operation

Created On 09/25/18 18:01 PM - Last Modified 10/15/19 21:54 PM


The factory default configuration places e1/1 and e1/2 into a virtual wire.  Keep this configuration and configure e1/3 as Tap mode.

  1. Go to Network tab > Zones. Create a new zone, zone type of Tap. give it a name (example, tapzone, intranetzone, etc).
  1. Go to Network > Interfaces. Select the interface to be configured for Tap. 
In this example, e1/1 is used.  Edit the interface and change the type to Tap. Then, assign the zone created in Step 1.
  1. Go to Policies > Security Rules, then create a single rule and select the zone created in Step 1 for the source and destination zone.
    • Name = TAP_Allow
    • Source zone = Tap_Zone
    • Destination zone = Tap_Zone
    • Rule: any any any any any action = allow
  2. For example: Optionally, create a threat profile (antivirus, spyware, etc.) and assign it to the rule:

Note: It is not recommended to send both production traffic and TAP traffic through the same firewall. This can result in severe performance impact to the production traffic. We recommend that you send TAP traffic onto a firewall that DOES NOT have production traffic going through it.

  • Print
  • Copy Link