Network technologies and trends

Nov 23 2015   5:24AM GMT

How to configure Palo Alto Firewall in TAP Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Palo Alto Networks

In one my recent post we discussed what is TAP mode in Palo Alto Networks Firewall and the flexibility it offers when it comes to deployment.

I have a Palo Alto Networks Firewall 3050 connected to a Cisco Catalyst 2960 Switch and I am using the following topology to demonstrate TAP configuration. As you can see the Laptop is connected to Cisco switch on port no G1/0/8 and the Palo Alto Firewall is connected to Cisco Switch port G1/0/1 . We will configure a SPAN in Cisco Switch and our source will be G1/0/8 ( Laptop) and the  destination will be G1/0/1 ( Connected to Palo Alto Firewall). Basically we will monitor all the traffic from the host Laptop towards Internet. You can also configure RSPAN the principle remains the same.

Palo Alto Firewall Tap mode

Step 1

Lets configure SPAN in  Cisco Catalyst Switch using following CLI commands


monitor session 1 source interface gigabitEthernet 1/0/8 both

monitor session 1 destination interface gigabitEthernet 1/0/5

Cisco Siwtch SPAN

Step 2

Configure  Ethernet 1/5 as TAP mode by  going to Network -> Interface -> ethernet1/5 -> Interface Type  and select Tap

Screen Shot 2015-11-23 at 7.36.26 AM

Step 3

Assign a Security Zone to ethernet 1/5 as with out this we cannot create Security Rule to monitor the traffic

Network-> Zone->Add

Screen Shot 2015-11-23 at 7.41.48 AM

Name : Name of the zone you want  -> Type : Should be TAP and add ethernet 1/5 to be part of new Zone you are creating as shown

Screen Shot 2015-11-23 at 7.43.44 AM

Step 4

Create a Security policy so that we can monitor the traffic in the logs tab and can also see the details in ACC tab, without configuring the Security Policy one cannot monitor the traffic spanning through the Palo Alto Network Firewall in TAP mode. Ensure that the rule is at the top and both the source zone and destination zone are same as demonstrated below

Policies -> Security -> Add

Screen Shot 2015-11-23 at 7.51.08 AM

You can use any name you want

Screen Shot 2015-11-23 at 7.54.08 AM

Add Source Zone – In our case its TAP_ZONE

Screen Shot 2015-11-23 at 7.53.11 AM

Add Destination Zone – In our case its TAP_ZONE

Screen Shot 2015-11-23 at 7.53.21 AM

Allow the traffic and click ok and commit to save the policy

Screen Shot 2015-11-23 at 7.53.39 AM

You final policy should be like this

Screen Shot 2015-11-23 at 8.00.36 AM

One can now see what kind of traffic is passing through the Palo Alto Network Firewall in TAP mode

Monitor -> Logs -> Traffic

Screen Shot 2015-11-23 at 8.02.14 AM

Also one see more details like the risk level and what application are accessed  in Application Command Center (ACC)

Screen Shot 2015-11-23 at 8.05.54 AM


So far I have never experience such a granular report offered by any firewalls. This kinds of value added features obliviously makes Palo Alto Networks Firewall a leader in Next Generation Firewall.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • JacobNoj

    I believe that the monitoring session destination should be the  gi1/0/1 instead gi1/0/5 because with the configs you made the mirror will be forwarding traffic to the router?

    10 pointsBadges:
  • furqan118

    If I have a Cisco SW 6509 connected to 2 Palo Alto in HA mode. How to configure them in TAP mode? As source network which needs to be monitor is behind Palo Alto firewalls..! WHat will the source and destination interface on Cisco side?

    10 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: