Palo Alto Networks Knowledgebase: How to Configure a Palo Alto Networks Device for Tap Mode Operation

How to Configure a Palo Alto Networks Device for Tap Mode Operation

17693
Created On 10/15/19 21:40 PM - Last Updated 10/15/19 21:54 PM
Content Release Deployment Hardware
Resolution

The factory default configuration places e1/1 and e1/2 into a virtual wire.  Keep this configuration and configure e1/3 as Tap mode.

  1. Go to Network tab > Zones. Create a new zone, zone type of Tap. give it a name (example, tapzone, intranetzone, etc).
    tap_1.JPG
  1. Go to Network > Interfaces. Select the interface to be configured for Tap. 
In this example, e1/1 is used.  Edit the interface and change the type to Tap. Then, assign the zone created in Step 1.
 
      tap_2.JPG
  1. Go to Policies > Security Rules, then create a single rule and select the zone created in Step 1 for the source and destination zone.
    • Name = TAP_Allow
    • Source zone = Tap_Zone
    • Destination zone = Tap_Zone
    • Rule: any any any any any action = allow
  2. For example: Optionally, create a threat profile (antivirus, spyware, etc.) and assign it to the rule:
tap_3.JPG

Note: It is not recommended to send both production traffic and TAP traffic through the same firewall. This can result in severe performance impact to the production traffic. We recommend that you send TAP traffic onto a firewall that DOES NOT have production traffic going through it.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMzCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments