Next-Generation Firewall
Configure a VLAN
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Configure a VLAN
Configure a Layer 2 interfaces with a VLAN for switching and traffic
separation.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
When your organization wants to divide a LAN into separate virtual LANs
(VLANs) to keep traffic and policy rules for different departments separate, you can
logically group Layer 2 hosts into VLANs and thus divide a Layer 2 network segment
into broadcast domains. For example, you can create VLANs for the Finance and
Engineering departments.
The firewall acts as a switch to forward a frame with an
Ethernet header containing a VLAN ID, and the destination interface must have a
subinterface with that VLAN ID in order to receive that frame and forward it to the
host. You configure a Layer 2 interface on the firewall and configure one or more
logical subinterfaces for the interface, each with a VLAN tag (ID).- Log in to Strata Cloud Manager.
- (Best Practices) Configure a Zone Protection Profile to Increase Network Security.
- Configure a Layer 2 Interface.VLANs support Layer 2 interfaces only.
- Configure a Subinterface for the Layer 2 interface.Be sure to set the VLAN Tag for the subinterface.
- Select ManageConfigurationNGFW and Prisma AccessDevice SettingsInterfacesVLAN and select the Configuration Scope where you want to create the VLAN.Select a firewall from your Folders or select Snippets to configure the VLAN in a snippet.If you select a folder or select a snippet, you create a VLAN variable that must be assigned at the device level.
- Enter the Interface Name.By default, all VLANs are prefixed with vlan.
- (Optional) Enter a Description.
- (Folders and Snippets only; Optional) Assign the VLAN to a Logical Router.See Configure a Logical Router for more information.Selecting a global router will prompt a message asking if you want to override and remove the inherited objects. Click Yes to confirm.
- (Folders and Snippets only; Optional) Assign the interface to a Zone.Create New to create a new zone. See Zone Protection and DoS Protection for more information.Selecting an inherited zone overrides the previous settings and removes any inherited objects. Any changes made to the global folder are no longer inherited in a top-down manner. A message appears, indicating that the interface settings will be overridden and the inherited objects from the parent folder will be removed on all firewalls. When you save your changes, a confirmation message appears. If you confirm, the zone is overridden.
- Add the Layer 2 Ethernet Interfaces you created in the previous step.
- Configure the VLAN IP settings.
- Select the VLAN IP Type.
- Static IPv4 Address.Add the IPv4 IP addresses for the interfaces in the VLAN.
- Activate the DHCP Client on the VLAN.See Configure an Interface as a DHCP Client for more information on configuring the VLAN as a DHCP client.
- Save.
- Push Config to push your configuration changes.