{"id":1241,"date":"2026-01-23T16:59:09","date_gmt":"2026-01-23T21:59:09","guid":{"rendered":"https:\/\/pressbooks.bccampus.ca\/paloalto\/?post_type=chapter&p=1241"},"modified":"2026-02-19T15:36:04","modified_gmt":"2026-02-19T20:36:04","slug":"2-4-tap-interface-and-capture-traffic","status":"publish","type":"chapter","link":"https:\/\/pressbooks.bccampus.ca\/paloalto\/chapter\/2-4-tap-interface-and-capture-traffic\/","title":{"raw":"2.4 Tap Interface and Captured Traffic","rendered":"2.4 Tap Interface and Captured Traffic"},"content":{"raw":"
\r\n

Learning Objectives<\/p>\r\n\r\n<\/header>\r\n

\r\n
    \r\n \t
  • Identify Tap Interface<\/li>\r\n \t
  • Configure Tap Interface<\/li>\r\n \t
  • Capture the Traffic under TAP interface<\/li>\r\n<\/ul>\r\n<\/div>\r\n<\/div>\r\n\r\n[caption id=\"attachment_1242\" align=\"aligncenter\" width=\"822\"]\"\" Figure 2.55: Main scenario[\/caption]\r\n\r\n
    \r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n
    Table 2.12: Devices IP address<\/caption>\r\n
    Device<\/strong><\/td>\r\nConfiguration<\/strong><\/td>\r\n<\/tr>\r\n
    Palo Alto<\/td>\r\nEthernet 1\/1: TAP\r\n\r\nManagement: 192.168.1.1\/24<\/td>\r\n<\/tr>\r\n
    MGM<\/td>\r\n192.168.1.1\/24<\/td>\r\n<\/tr>\r\n
    Kali-1<\/td>\r\n192.168.10.1\/24, GW: 192.168.10.3<\/td>\r\n<\/tr>\r\n
    Kali-2<\/td>\r\n192.168.10.2\/24, GW: 192.168.10.3<\/td>\r\n<\/tr>\r\n
    Switch<\/td>\r\nGi 1\/1 and Gi 1\/2 source monitor\r\n\r\nGi1\/3 destination monitor<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n

    Zones<\/h2>\r\n
    \r\n\r\n\r\n\r\n
    Table 2.13: Zones<\/caption>\r\n
    Parameters<\/strong><\/td>\r\nValue<\/strong><\/td>\r\n<\/tr>\r\n
    TAP<\/td>\r\nEthernet 1 \/1<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<\/div>\r\n \r\n

    What is the TAP interface?<\/h2>\r\nA network tap is a mechanism that allows visibility into data traversing a computer network. In a tap mode deployment, traffic is passively observed using a switch SPAN or mirror port, which copies network traffic without impacting normal data flow. By configuring a dedicated firewall interface in tap mode and connecting it to a switch SPAN port, the firewall receives a mirrored copy of the traffic for analysis. This approach enables application-level visibility across the network while keeping the firewall out of the direct traffic path.\r\n\r\nDeploying a firewall in tap mode allows organizations to gain insight into the applications and potential threats present on the network without modifying the existing network architecture. While the firewall can detect and identify security threats in this mode, it cannot enforce security actions\u2014such as blocking malicious traffic or applying QoS policies\u2014because the traffic does not pass directly through the firewall.\r\n

    Cisco Switch Configuration<\/h2>\r\n<\/div>\r\n
    \r\n
    (conf t) # int vlan 1\r\n         #ip address 192.168.10.3 255.255.255.0\r\n(conf t) #monitor session 1 source interface gi1\/1\r\n(conf t) #monitor session 1 source interface gi 1\/2\r\n(conf t) #monitor session 1 destination interface gi1\/3<\/pre>\r\n<\/div>\r\nGo to Monitor > Packet Capture > Configure Capturing<\/strong>. Enable this item and Add Stage Packet Capture\r\n\r\n[caption id=\"attachment_1246\" align=\"aligncenter\" width=\"1014\"]\"\" Figure 2.56: Packet Capture Stage[\/caption]\r\n\r\n[caption id=\"attachment_1244\" align=\"aligncenter\" width=\"1012\"]\"\" Figure 2.57: Captured Files[\/caption]\r\n\r\nAll Palo Alto Networks firewalls have a built-in packet capture (pcap) feature you can use to capture packets that traverse the network interfaces on the firewall. You can then use the captured data for troubleshooting purposes or to create custom application signatures.\r\n\r\nNow, ping from Kali1 to Kali2 again and check the file created in the previous step. Click on the traffic to download in Kali and you are able to open it in Wireshark. Open the file in the Wireshark and verify you have received ICMP Packets.\r\n\r\n[caption id=\"attachment_1248\" align=\"aligncenter\" width=\"752\"]\"\" Figure 2.58: Wireshark ICMP Packets[\/caption]\r\n\r\n \r\n\r\nSSH from Kali1 to Kali 2. Capture the traffic and verify you have received SSH Packets in the Wireshark.\r\n\r\n[caption id=\"attachment_1256\" align=\"aligncenter\" width=\"754\"]\"\" Figure 2.59: Wireshark SSHv2 packets[\/caption]","rendered":"
    \n
    \n
    Learning Objectives<\/p>\n<\/header>\n
    \n
      \n
    • Identify Tap Interface<\/li>\n
    • Configure Tap Interface<\/li>\n
    • Capture the Traffic under TAP interface<\/li>\n<\/ul>\n<\/div>\n<\/div>\n
      \"\"
      Figure 2.55: Main scenario<\/figcaption><\/figure>\n
      \n\n\n\n\n\n\n\n\n
      Table 2.12: Devices IP address<\/caption>\n
      Device<\/strong><\/td>\nConfiguration<\/strong><\/td>\n<\/tr>\n
      Palo Alto<\/td>\nEthernet 1\/1: TAP<\/p>\n
      Management: 192.168.1.1\/24<\/td>\n<\/tr>\n
      MGM<\/td>\n192.168.1.1\/24<\/td>\n<\/tr>\n
      Kali-1<\/td>\n192.168.10.1\/24, GW: 192.168.10.3<\/td>\n<\/tr>\n
      Kali-2<\/td>\n192.168.10.2\/24, GW: 192.168.10.3<\/td>\n<\/tr>\n
      Switch<\/td>\nGi 1\/1 and Gi 1\/2 source monitor<\/p>\n
      Gi1\/3 destination monitor<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
      Zones<\/h2>\n
      \n\n\n\n\n
      Table 2.13: Zones<\/caption>\n
      Parameters<\/strong><\/td>\nValue<\/strong><\/td>\n<\/tr>\n
      TAP<\/td>\nEthernet 1 \/1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
       <\/p>\n
      What is the TAP interface?<\/h2>\n
      A network tap is a mechanism that allows visibility into data traversing a computer network. In a tap mode deployment, traffic is passively observed using a switch SPAN or mirror port, which copies network traffic without impacting normal data flow. By configuring a dedicated firewall interface in tap mode and connecting it to a switch SPAN port, the firewall receives a mirrored copy of the traffic for analysis. This approach enables application-level visibility across the network while keeping the firewall out of the direct traffic path.<\/p>\n
      Deploying a firewall in tap mode allows organizations to gain insight into the applications and potential threats present on the network without modifying the existing network architecture. While the firewall can detect and identify security threats in this mode, it cannot enforce security actions\u2014such as blocking malicious traffic or applying QoS policies\u2014because the traffic does not pass directly through the firewall.<\/p>\n
      Cisco Switch Configuration<\/h2>\n<\/div>\n
      \n
      (conf t) # int vlan 1\r\n         #ip address 192.168.10.3 255.255.255.0\r\n(conf t) #monitor session 1 source interface gi1\/1\r\n(conf t) #monitor session 1 source interface gi 1\/2\r\n(conf t) #monitor session 1 destination interface gi1\/3<\/pre>\n<\/div>\n
      Go to Monitor > Packet Capture > Configure Capturing<\/strong>. Enable this item and Add Stage Packet Capture<\/p>\n
      \"\"
      Figure 2.56: Packet Capture Stage<\/figcaption><\/figure>\n
      \"\"
      Figure 2.57: Captured Files<\/figcaption><\/figure>\n
      All Palo Alto Networks firewalls have a built-in packet capture (pcap) feature you can use to capture packets that traverse the network interfaces on the firewall. You can then use the captured data for troubleshooting purposes or to create custom application signatures.<\/p>\n
      Now, ping from Kali1 to Kali2 again and check the file created in the previous step. Click on the traffic to download in Kali and you are able to open it in Wireshark. Open the file in the Wireshark and verify you have received ICMP Packets.<\/p>\n
      \"\"
      Figure 2.58: Wireshark ICMP Packets<\/figcaption><\/figure>\n
       <\/p>\n
      SSH from Kali1 to Kali 2. Capture the traffic and verify you have received SSH Packets in the Wireshark.<\/p>\n
      \"\"
      Figure 2.59: Wireshark SSHv2 packets<\/figcaption><\/figure>\n","protected":false},"author":1562,"menu_order":4,"template":"","meta":{"pb_show_title":"on","pb_short_title":"","pb_subtitle":"","pb_authors":[],"pb_section_license":""},"chapter-type":[],"contributor":[],"license":[],"class_list":["post-1241","chapter","type-chapter","status-publish","hentry"],"part":115,"_links":{"self":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters"}],"about":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/types\/chapter"}],"author":[{"embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/users\/1562"}],"version-history":[{"count":18,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1241\/revisions"}],"predecessor-version":[{"id":1347,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1241\/revisions\/1347"}],"part":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/parts\/115"}],"metadata":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapters\/1241\/metadata\/"}],"wp:attachment":[{"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/media?parent=1241"}],"wp:term":[{"taxonomy":"chapter-type","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/pressbooks\/v2\/chapter-type?post=1241"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/contributor?post=1241"},{"taxonomy":"license","embeddable":true,"href":"https:\/\/pressbooks.bccampus.ca\/paloalto\/wp-json\/wp\/v2\/license?post=1241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}