The latest generation of Firewalls and routers support TAP mode out of the box. It’s a huge benefit to installing dedicated hardware or taking up valuable ports on expensive switches. This video shows you how to extend the visibility of your network and enable TAP mode on your firewall without risks.
Deploying the next generation firewall in TAP mode is the easiest way to establish full network visibility, while not taking any operational risks. In a moment I will explain to you the concept and some use cases. If this is your first time here, I’m Lars from Consigas. We call ourselves the Palo Alto Networks Experts, because the next generation firewall is our passion. It’s what we do all day, every day: migrating firewalls, providing managed services, and most important implementing security best practices. When I started to work with this box, in 2010 nearly anyone knew about Palo Alto Networks But as an engineer I felt that this solution will change the world of cyber security, and yes, today We know it did big time, because it’s one of the few security solutions that can truly secure your network. However, there’s a caveat. You need to set it up in the right way in order to be effective, because while it’s awesome it’s not a magic box! So over the years we became Professional Services Partners for Palo Alto Networks, as well as one of the few Elite Authorized Training Centers (eATC), after working in the field for so many years, & being a trainer I would like to share my experience with you! So over the next couple of weeks and months we’ll release new videos and core concepts, Explaining the fundamental workings of the NG Firewall, starting with the Threat Landscape, deployment methods, NAT, App-ID, SSL encryption, VPNs and many more! So follow us on LinkedIn, YouTube or Twitter to stay up to date.
But now let’s get started with TAP interfaces. The principle idea behind the tap interface is to passively monitor the traffic with the next generation firewall. So let’s say we have the following use case: we have an internal network connected to a switch. then connects out to the internet over an existing firewall, and let’s say you would like to monitor this traffic which traverses here going out to the Internet. The way how we can do this is that we, first of all, connect the firewall to the switch and on the switch we configure a Port Mirror. This what this Port mirror will do is send only a copy of all of the traffic (coming in and going out) via this interface to the firewall. This traffic arrives on the firewall and here, like usual, we have to define an interface type So we define it as an interface type TAP and as usual also here we have to allocate a zone. Let’s call this now for instance the INTERNET-TAP zone. The interesting thing from a processing point of view of this traffic is that the packet arrives here and the firewall can now fully analyze the traffic, meaning it identifies the application, It can identify threats.
So we can fully analyze the traffic, and if you look at it from a processing point of view, this packet will also go through the normal processing path like any other packet that arrives in a layer 3 or Virtual Wire deployment. The only big difference is that for the TAP mode the source and destination zone will always be assumed the same, so if you look at the traffic logs you will see that the source and destination zone will always be INTERNET-TAP in this case, but beside this the traffic process is the same, and obviously before the traffic is sent back to the firewall, the packet is obviously dropped, but beside this the full processing takes place. Obviously we still have some limitations here, for instance SSL decryption we cannot do. And that’s the important thing, we cannot interfere with the traffic at all and that’s the full purpose behind the tap mode, so comparing this with the virtual Wire, where we’re handling traffic at Layer 2, so we’re also transparent, but the traffic is traversing the firewall, means the FW can block traffic, so it can block bad applications, it can block malware.
Well in TAP mode it is completely passive, It only receives a copy of the traffic and with this there’s no way that it can interfere with the traffic. So use cases would be: what if we do a proof of concepts? or in critical environments just want to let’s say we can analyze some traffic without any risk to the traffic and to the infrastructure itself. If you then want to add another interface for instance if you want to monitor traffic from the proxy as well, then we have two ways: Either we define another port mirror to send it to another tap interface, we can have multiple interfaces here as well, OR very simply you can just add this to the existing port mirror, meaning on a Port Mirror you can have multiple source interfaces, where you basically say all the traffic from this interface and from this interface, just send it out of this interface, and then it would reach the firewall as well.
Additional Related Resources:
Buying a Proxy Server, a simple Guide – http://isgmlug.org/2019/04/02/do-i-really-need-to-buy-a-proxy-server/
Rotating Proxies, Essential Information – https://residentialip.net/what-are-rotating-proxies-and-how-can-they-make-me-rich/