Enable Inspection of Tagged VLAN Traffic


Enable Inspection of Tagged VLAN Traffic

Table of Contents

Enable Inspection of Tagged VLAN Traffic

Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
  • Helm 3.6 or above version client
    for CN-Series deployment with Helm
Complete the following procedure to enable the CN-Series firewall to inspect tagged VLAN traffic. To inspect VLAN tagged traffic, you must update the configuration of all virtual wires on Panorama to allow all VLAN tags. Then you must annotate your application pod YAML file to assign VLAN tags to the app pod interfaces. This annotation tells the CN-NGFW which tags are applied to packets that are sent through the firewall.
Double VLAN tagging is not supported.
  1. Enable all VLANs on all interfaces of CN-NGFW.
    1. Log in to Panorama.
    2. Select
      Virtual Wires
    3. Select the
      template from the
    4. Select the first virtual wire.
    5. Set
      Tag Allowed
      to 0-4094.
    6. Repeat this procedure for each virtual wire.
    7. Commit
      your changes.
  2. Append the application pod YAML file with the following annotations to apply a static VLAN ID per interface.
    Only one VLAN tag is supported per interface.
    paloaltonetworks.com/interfaces: '[ {"name" : "eth0"}, {"name" : "net1", "vlan" : <VLAN-ID> }{"name" : "net2", "vlan" : <VLAN-ID> }]’
    For example:
    annotations: k8s.v1.cni.cncf.io/networks: bridge-conf-1,bridge-conf-2,bridge-conf-0,pan-cni paloaltonetworks.com/firewall: pan-fw paloaltonetworks.com/interfaces: '[ {"name" : "eth0"}, {"name" : "net1", "vlan" : 101 }, {"name" : "net2", "vlan" : 102 }, {"name" : "net3", "vlan" : 103 } ]'

Recommended For You