>
    Configure a VLAN
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Set Up Firewalls
    4. Routing and Interfaces
    5. Configure Interfaces
    6. Configure a VLAN
    Download PDF
    Next-Generation Firewall

    Configure a VLAN

    Table of Contents

    Configure a VLAN

    Configure a Layer 2 interfaces with a VLAN for switching and traffic separation.
    Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    One of these:
    When your organization wants to divide a LAN into separate virtual LANs (VLANs) to keep traffic and policy rules for different departments separate, you can logically group Layer 2 hosts into VLANs and thus divide a Layer 2 network segment into broadcast domains. For example, you can create VLANs for the Finance and Engineering departments.
    The firewall acts as a switch to forward a frame with an Ethernet header containing a VLAN ID, and the destination interface must have a subinterface with that VLAN ID in order to receive that frame and forward it to the host. You configure a Layer 2 interface on the firewall and configure one or more logical subinterfaces for the interface, each with a VLAN tag (ID).
    1. Log in to Strata Cloud Manager.
    2. (Best Practices) Configure a Zone Protection Profile to Increase Network Security.
    3. Configure a Layer 2 Interface.
      VLANs support Layer 2 interfaces only.
    4. Configure a Subinterface for the Layer 2 interface.
      Be sure to set the VLAN Tag for the subinterface.
    5. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsInterfacesVLAN and select the Configuration Scope where you want to create the VLAN.
      Select a firewall from your Folders or select Snippets to configure the VLAN in a snippet.
      If you select a folder or select a snippet, you create a VLAN variable that must be assigned at the device level.
    6. Enter the Interface Name.
      By default, all VLANs are prefixed with vlan.
    7. (Optional) Enter a Description.
    8. (Folders and Snippets only; Optional) Assign the VLAN to a Logical Router.
      See Configure a Logical Router for more information.
      Selecting a global router will prompt a message asking if you want to override and remove the inherited objects. Click Yes to confirm.
    9. (Folders and Snippets only; Optional) Assign the interface to a Zone.
      Create New to create a new zone. See Zone Protection and DoS Protection for more information.
      Selecting an inherited zone overrides the previous settings and removes any inherited objects. Any changes made to the global folder are no longer inherited in a top-down manner. A message appears, indicating that the interface settings will be overridden and the inherited objects from the parent folder will be removed on all firewalls. When you save your changes, a confirmation message appears. If you confirm, the zone is overridden.
    10. Add the Layer 2 Ethernet Interfaces you created in the previous step.
    11. Configure the VLAN IP settings.
      1. Select the VLAN IP Type.
      • Static IPv4 Address.
        Add the IPv4 IP addresses for the interfaces in the VLAN.
      • Activate the DHCP Client on the VLAN.
        See Configure an Interface as a DHCP Client for more information on configuring the VLAN as a DHCP client.
    12. Save.
    13. Push Config to push your configuration changes.

    © 2024 Palo Alto Networks, Inc. All rights reserved.