Palo Alto Firewall Configuration Options. Tap Mode, Virtual Wire, Layer 2 & Layer 3 Deployment modes
Our previous article explained how Palo Alto Firewalls make use of Security Zones to process and enforce security policies. This article will explain the different configuration options for physical Ethernet and logical interfaces available on the Palo Alto Firewall.
It’s easy to mix and match the interface types and deployment options in real world deployments and this seems to be the strongest selling point of Palo Alto Networks Next-Generation Firewalls. Network segmentation becomes easier due to the flexibility offered by a single pair of Palo Alto appliances.
Below is a list of the configuration options available for Ethernet (physical) interfaces:
- Tap Mode
- Virtual Wire
- Layer 2
- Layer 3
- Aggregate Interfaces
Following are the Logical interface options available:
- Decrypt Mirror
The various interface types offered by Palo Alto Networks Next-Generation Firewalls provide flexible deployment options.
Tap Mode Deployment Option
TAP Mode deployment allows passive monitoring of the traffic flow across a network by using the SPAN feature (also known as mirroring).
A typical deployment would involve the configuration of SPAN on Cisco Catalyst switches where the destination SPAN port is the switch port to which our Palo Alto Firewall connects, as shown in the diagram below:
Figure 1. Palo Alto Next Generation Firewall deployed in TAP mode
The advantage of this deployment model is that it allows organizations to closely monitor traffic to their servers or network without requiring any changes to the network infrastructure.
During the configuration of SPAN it is important to ensure the correct SPAN source and SPAN Destination ports are configured while also enabling Tap mode at the Firewall.