>
    Strata Copilot
    Configure a Breakout Port Interface and Subinterface
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Configure Interfaces
    4. Configure a Breakout Port Interface and Subinterface
    Download PDF
    Next-Generation Firewall

    Configure a Breakout Port Interface and Subinterface

    Table of Contents

    Configure a Breakout Port Interface and Subinterface

    The procedure for configuring a breakout port interface or subinterface for supported NGFWs.
    Where Can I Use This?What Do I Need?
    • NGFW
    • One of these licenses for Strata Cloud Manager managed NGFWs:
      • Strata Cloud Manager Essentials
      • Strata Cloud Manager Pro
    • A Supported NGFW Model (See Below)
    Breakout ports on supported NGFWs enable you to split high-speed physical interfaces into multiple lower-speed logical interfaces to maximize ports on your NGFWs. When you configure breakout ports, you can divide a single 100 Gbps or 40 Gbps interface into multiple 25 Gbps or 10 Gbps connections respectively (typically up to four subinterfaces), allowing you to connect more devices without requiring additional physical ports. For example, configuring ethernet1/1 as breakout type allows you to create ethernet1/1/1, ethernet1/1/2, ethernet1/1/3, and ethernet1/1/4 interfaces.
    Supported NGFWs implement breakout functionality through software configuration that divides the physical interface lanes into separate logical interfaces, each operating independently with its own interface settings. This configuration proves particularly useful in data center environments where you need to connect several lower-bandwidth devices to your NGFW but have limited physical interface availability. The NGFW treats each breakout port as a separate logical interface that you can configure with distinct security policies, routing settings, and network zones.
    Before you can begin configuring breakout ports for your NGFWs, confirm that they meet the following requirements
    • Verify that your NGFW model supports breakout ports:
      • PAN-OS Support Only
        • PA-3430
        • PA-3440
        • PA-5410
        • PA-5420
        • PA-5430
        • PA-5445
        • PA-5450
        • PA-5540
        • PA-5550
        • PA-7050
        • PA-7080
      • PAN-OS & Strata Cloud Manager Support
        • PA-7500
    • Ensure you have the appropriate network processing cards installed
    For more information on the ports that have breakout support for the above list of NGFWs, as well as the breakout speeds supported, click here.

    Configure Breakout Port Interfaces (SCM)

    The procedure for configuring breakout port interfaces and subinterfaces.
    You can configure ethernet ports as breakout type interfaces at the device scope, which enables you to create individual broken-out ports that function as standard ethernet interfaces. The broken-out ports support all existing interface types including Layer 2, Layer 3, Virtual Wire, and Tap configurations, and you can create sub-interfaces from these ports as needed.

    Configure a Breakout Port Interface in Strata Cloud Manager

    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessDeviceInterfacesEthernet and set the Configuration Scope to the Folder or supported device where you want to create the breakout port interface.
    3. Click Add Interface to create a new breakout interface.
    4. Configure the Interface.
      1. Enter or Select the Interface Name.
        When you configure an interface for a specific firewall, the Interface Name is fixed, such as ethernet1/1.
      2. Select the Default Interface Assignment.
        Ports 1, 2, 3, 4, 11, 12, 13, and 14 support breakout configuration.
      3. (Optional) Enter a Comment to add more details to the interface for other administrators..
      4. For Interface Type, select Breakout.
      5. Assign a Zone or Create New to create a new zone.
        Selecting an inherited zone overrides the previous settings and removes any inherited objects. Any changes made to the global folder are no longer inherited in a top-down manner. A message appears, indicating that the interface settings will be overridden and the inherited objects from the parent folder will be removed on all firewalls. When you save your changes, a confirmation message appears. If you confirm, the zone is overridden.
    5. Save.
    6. Push Config.

    Configure a Breakout Port Subinterface in Strata Cloud Manager

    1. Add Interface for the child interface.
    2. Configure the Interface.
      1. Enter or Select the Interface Name.
      2. Select the Default Interface Assignment.
        Select the Default Interface Assignment you wish to configure. It will appear with the breakout naming convention, such as ethernet1/1/1 or ethernet1/1/2 for the children of ethernet1/1.
      3. (Optional) Enter a Comment to add more details to the interface for other administrators..
      4. Select the interface type Interface Type. For the child interface, it does not have to be set to Breakout.
      5. Select the Logical Routers to assign the interface to.
      6. Assign a Zone or Create New to create a new zone.
        Selecting an inherited zone overrides the previous settings and removes any inherited objects. Any changes made to the global folder are no longer inherited in a top-down manner. A message appears, indicating that the interface settings will be overridden and the inherited objects from the parent folder will be removed on all firewalls. When you save your changes, a confirmation message appears. If you confirm, the zone is overridden.
      7. Configure the IP address.
    3. Save.
    4. Repeat Steps 1-3 as needed for the other child interfaces.
    5. Push Config.

    © 2025 Palo Alto Networks, Inc. All rights reserved.