>
    Configure a Tap Interface
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Set Up Firewalls
    4. Routing and Interfaces
    5. Configure Interfaces
    6. Configure a Tap Interface
    Download PDF
    Next-Generation Firewall

    Configure a Tap Interface

    Table of Contents

    Configure a Tap Interface

    Configure a tap interface for your firewall.
    Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • VM-Series, funded with Software NGFW Credits
    • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    A network tap interface is a device that provides a way to access data flowing across a computer network. Tap mode deployment allows you to passively monitor traffic flows across a network by way of switch SPAN or mirror port.
    The SPAN, or mirror port, permits the copying of traffic from other ports on the switch. By dedicating an interface on the firewall as a tap mode interface and connecting it with a switch SPAN port, the switch SPAN port provides the firewall with the mirrored traffic. This provides application visibility within the network without being in the flow of network traffic.
    By deploying the firewall Ethernet interface in tap mode, you can get visibility into what applications are running on your network without having to make any changes to your network design. In addition, when in tap mode, the firewall Ethernet interface can also identify threats on your network. Keep in mind, however, because the traffic isn’t running through the firewall when in tap mode it can’t take any action on the traffic, such as blocking traffic with threats or applying Quality of Service (QoS) traffic control.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsInterfacesEthernet and select the context view where you want to create the tap interface.
      Select a firewall from the Config Tree or select Snippets to configure the tap interface in a snippet.
      If you select a folder from the Config Tree or select a snippet, you create a tap interface variable that must be assigned at the device level.
    3. Add the interface.
      If you’re configuring a tap interface for a specific firewall, select the interface you want to configure instead.
      • Folders and SnippetsAdd Interface and select Interface.
      • FirewallsAdd and Add Interface.
    4. Configure the interface.
      If you’re configuring an interface in the folder or snippet context, the interface configuration is pushed only to firewalls that have the corresponding interface slot available. For example, if you configure Ethernet 1/5 in the folder context and the firewall associated with the folder has only four interface slots, then the configuration isn’t pushed to the firewall.
      1. Select the interface Slot.
      2. Enter or Select the Interface Name.
        When you configure an interface for a specific firewall, the Interface Name is fixed, such as ethernet1/1 if you select Slot 1. The fixed interface names are dependent on the slot that you selected in the previous step.
      3. (Folders and Snippets only) Select the Default Interface Assignment.
      4. (Optional) Enter a Description.
      5. For Interface Type, select Tap.
      6. (Folders and Snippets only; Recommended) Assign the interface to a Zone.
        Create New to create a new zone. See Zone Protection and DoS Protection for more information.
    5. (Optional) Configure the interface link settings.
      1. Select the interface Link Speed.
        Auto is selected by default and allows the firewall to determine the speed.
      2. Select the interface Link Duplex transmission mode.
        Auto is selected by default to allow the firewall to negotiate the transmission mode automatically.
      3. Select the interface Link State.
        Auto detect is selected by default to allow the firewall to automatically determine the link state.
    6. Save.
    7. Push Config to push your configuration changes.

    © 2024 Palo Alto Networks, Inc. All rights reserved.