>
    Common Building Blocks for Firewall Interfaces
    Focus
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Network
    4. Network > Interfaces
    5. Common Building Blocks for Firewall Interfaces
    Next-Generation Firewall

    Common Building Blocks for Firewall Interfaces

    Table of Contents

    Common Building Blocks for Firewall Interfaces

    Select NetworkInterfaces to display and configure the components that are common to most interface types.
    For a description of components that are unique or different when you configure interfaces on a PA-7000 Series firewall, or when you use Panorama™ to configure interfaces on any firewall, see Common Building Blocks for PA-7000 Series Firewall Interfaces.
    Firewall Interface Building Blocks
    Description
    Interface (Interface Name)
    The interface name is predefined and you cannot change it. However, you can append a numeric suffix for subinterfaces, aggregate interfaces, VLAN interfaces, loopback interfaces, tunnel interfaces, and SD-WAN interfaces.
    Interface Type
    For Ethernet interfaces (NetworkInterfacesEthernet), you can select the interface type:
    • Tap
    • HA
    • Decrypt Mirror (Supported on all firewalls except on the VM-Series NSX, Citrix SDX, AWS, and Azure.)
    • Virtual Wire
    • Layer 2
    • Layer 3
    • Log Card (PA-7000 Series firewall only)
    • Aggregate Ethernet
    Management Profile
    Select a Management Profile (NetworkInterfaces<if-configAdvancedOther Info) that defines the protocols (such as SSH, Telnet, and HTTP) you can use to manage the firewall over this interface.
    Link State
    For Ethernet interfaces, Link State indicates whether the interface is currently accessible and can receive traffic over the network:
    • Green—Configured and up
    • Red—Configured but down or disabled
    • Gray—Not configured
    Hover over the link state to display a tool tip that indicates the link speed and duplex settings for that interface.
    IP Address
    (Optional) Configure the IPv4 or IPv6 address of the Ethernet, VLAN, loopback, or tunnel interface. For an IPv4 address, you can also select the addressing mode (Type) for the interface: Static, DHCP Client, or PPPoE.
    Virtual Router
    Assign a virtual router to the interface or click Virtual Router to define a new one (see Network > Virtual Routers). Select None to remove the current virtual router assignment from the interface.
    Tag (Subinterface only)
    Enter the VLAN tag (1-4,094) for the subinterface.
    VLAN
    Select NetworkInterfacesVLAN and modify an existing VLAN or Add a new one (see Network > VLANs). Select None to remove the current VLAN assignment from the interface. To enable switching between Layer 2 interfaces, or to enable routing through a VLAN interface, you must configure a VLAN object.
    Virtual System
    If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system (vsys) for the interface or click Virtual System to define a new vsys.
    Security Zone
    Select a Security Zone (NetworkInterfaces<if-configConfig) for the interface, or select Zone to define a new one. Select None to remove the current zone assignment from the interface.
    Features
    For Ethernet interfaces, this column indicates whether the following features are enabled:
    DHCP Client
    DNS Proxy
    GlobalProtect™ gateway enabled
    Link Aggregation Control Protocol (LACP)
    Link Layer Discovery Protocol (LLDP)
    NDP Monitor
    NetFlow profile
    Quality of Service (QoS) profile
    SD-WAN
    Comment
    A description of the interface function or purpose.

    © 2025 Palo Alto Networks, Inc. All rights reserved.