Security Policy Match Criteria For TaP Interfaces
9920
Created On 08/06/20 22:17 PM - Last Modified 12/11/20 02:29 AM
Symptom
Security rule is configured to allow traffic from certain IP addresses. However, traffic from any source IP is allowed through the security policy.
Environment
- Any PAN-OS.
- Palo Alto Firewalls (hardware and VM based)
- TAP Interfaces configured.
Cause
A TAP interface is designed for passive traffic monitoring in a network environment.
This is achieved through Switch Port Analyzer (SPAN): most commonly through a connected upstream switch. The switch mirrors or makes a copy of all traffic and sends it to the firewalls "TAP" interface.
Resolution
Enforcing security rules such as traffic blocks is not supported when using TAP. This is because traffic is not transiting through the firewall when in TAP mode.