Panorama > Setup > Interfaces
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Panorama > Setup > Interfaces
- Panorama > Setup > Interfaces
Select PanoramaSetupInterfaces to configure the
interfaces that Panorama uses to manage firewalls and Log Collectors,
deploy software and content updates to firewalls and Log Collectors,
collect logs from firewalls, and communicate with Collector Groups.
By default, Panorama uses the management (MGT) interface for all
communication with firewalls and Log Collectors.
To reduce traffic on the MGT interface,
configure other interfaces to deploy updates, collect logs, and
communicate with Collector Groups. In an environment with heavy
log traffic, you can configure several interfaces for log collection. Additionally,
to improve the security of management traffic, you can define a
separate subnet (IPv4 Netmask or IPv6 Prefix
Length) for the MGT interface that is more private than
the subnets for the other interfaces.
Interface
|
Maximum Speed
|
M-700 Appliance
|
M-600 Appliance
|
M-500 Appliance
|
M-300 Appliance
|
M-200 Appliance
|
Panorama Virtual Appliance
|
---|---|---|---|---|---|---|---|
Management (MGT)
|
1Gbps
|
|
|
|
|
|
|
Ethernet1 (Eth1)
|
1Gbps
|
|
|
|
|
|
|
Ethernet2 (Eth2)
|
1Gbps
|
—
|
|
|
—
|
|
|
Ethernet3 (Eth3)
|
1Gbps
|
—
|
|
|
—
|
|
|
Ethernet4 (Eth4)
|
10Gbps
|
—
|
|
|
—
|
—
|
|
Ethernet5 (Eth5)
|
10Gbps
|
—
|
|
|
—
|
—
|
|
Review the logging rates for the all M-Series appliance models. To achieve the logging
rates listed below, the M-Series appliance must be a single log collector in a collector
group and you must install all the logging disks for your M-Series model. For example,
to achieve 30,000 logs/second for the M-500 appliance, you must install all 12 logging
disks with either 1TB or 2TB disks.
Model Capacities and Features
|
M-700 Appliance
|
M-600 Appliance
|
M-500 Appliance
|
M-300 Appliance
|
M-200 Appliance
|
---|---|---|---|---|---|
Maximum Logging Rate for Panorama in Management Only mode
|
Local log storage is not supported
| ||||
Maximum Logging Rate for Panorama in Panorama Mode
|
36,500 logs/second
|
25,000 logs/second
|
20,000 logs/second
|
16,500 logs/second
|
10,000 logs/second
|
Maximum Logging Rate for Panorama in Log Collector Mode
|
73,000 logs/second
|
50,000 logs/second
|
30,000 logs/second
|
33,000 logs/second
|
28,000 logs/second
|
Maximum Log Storage on Appliance
|
48TB (12x8TB RAID disk)
|
48TB (12x8TB RAID disk)
|
|
16TB (4x8TB RAID disk)
|
16TB (4x8TB RAID disk)
|
Default Log Storage on Appliance
|
16TB (4x8TB RAID disks)
|
16TB (4x8TB RAID disks)
|
4TB (4x2TB RAID disks)
|
16TB (4x8TB RAID disks)
|
16TB (4x8TB RAID disks)
|
SSD Storage on Appliance (for logs that M-Series appliances
generate)
|
240GB
|
240GB
|
240GB
|
240GB
|
240GB
|
NFS Attached Log Storage
|
Not available
|
To configure an interface, click the Interface Name and configure
the settings described in the following table.
Always specify the IP address, the netmask
(for IPv4) or prefix length (for IPv6), and the default gateway
for the MGT interface. If you omit values for some settings (such
as the default gateway), you can access Panorama only through the
console port for future configuration changes. You cannot commit
the configurations for other interfaces unless you specify all three
settings. This requirement does not apply to a Panorama virtual
appliance on supported cloud hypervisors because
only DHCP is support for interfaces.
Interface Settings | Description |
---|---|
Eth1 / Eth2 / Eth3 / Eth4 / Eth5 | You must enable an interface to configure
it. The exception is the MGT interface, which is enabled by default. |
Public IP Address
|
If your firewalls connect to Panorama using a public IP address that
is translated to a private IP address (NAT), enter the public IP
address to the interface.
|
IP Address (IPv4) | If your network uses IPv4 addresses, assign
an IPv4 address to the interface. |
Netmask (IPv4) | If you assigned an IPv4 address to the interface,
you must also enter a network mask (such as 255.255.255.0). |
Default Gateway (IPv4) | If you assigned an IPv4 address to the interface,
you must also assign an IPv4 address to the default gateway (the
gateway must be on the same subnet as the interface). |
IPv6 Address/Prefix Length | If your network uses IPv6 addresses, assign
an IPv6 address to the interface. To indicate the netmask, enter
an IPv6 prefix length (such as 2001:400:f00::1/64). An
IPv6 address is supported for the MGT interface on all M-Series appliances
and Panorama virtual appliances deployed in a private cloud environment
(ESXi, vCloud Air, KVM, or Hyper-V). An IPv6 address is not supported
for the MGT interface on a Panorama virtual appliance deployed in
a public cloud environment (Amazon Web Services (AWS), AWS GovCloud,
Microsoft Azure, or Google Cloud Platform). |
Default IPv6 Gateway | If you assigned an IPv6 address to the interface,
you must also assign an IPv6 address to the default gateway (the
gateway must be on the same subnet as the interface). An
IPv6 address is supported for the MGT interface on all M-Series appliances
and Panorama virtual appliances deployed in a private cloud environment
(ESXi, vCloud Air, KVM, or Hyper-V). An IPv6 address is not supported
for the MGT interface on a Panorama virtual appliance deployed in
a public cloud environment (Amazon Web Services (AWS), AWS GovCloud,
Microsoft Azure, or Google Cloud Platform). |
Speed | Set the speed for the interface to 10Mbps,
100Mbps, 1Gbps, or 10Gbps (Eth4 and Eth5 only) at full or half duplex.
Use the default auto-negotiate setting to have Panorama determine
the interface speed. This setting must
match the interface settings on neighboring network equipment. To
ensure matching settings, select auto-negotiate if the neighboring
equipment supports that option. |
MTU | Enter the maximum transmission unit (MTU)
in bytes for packets sent on this interface (range is 576 to 1,500;
default is 1,500). |
Device Management and Device Log Collection | Enable the interface (enabled by default
on the MGT interface) for managing firewalls and Log Collectors
and collecting their logs. You can enable multiple interfaces to
perform these functions. |
Collector Group Communication | Enable the interface for Collector Group
communication (the default is the MGT interface). Only one interface
can perform this function. |
Syslog Forwarding | Enable the interface for forwarding syslogs
(the default is the MGT interface). Only one interface can perform
this function. |
Device Deployment | Enable the interface for deploying software
and content updates to firewalls and Log Collectors (the default
is the MGT interface). Only one interface can perform this function. |
Administrative Management Services |
|
Network Connectivity Services | The Ping service
is available on any interface. You can use ping to test connectivity
between the Panorama interface and external services. In a high
availability (HA) deployment, HA peers use ping to exchange heartbeat
backup information. The following services are available only
on the MGT interface:
|
Permitted IP Addresses | Enter the IP addresses from which administrators
can access Panorama on this interface. An empty list (default) specifies
that access is available from any IP address. Do
not leave this list blank; specify the IP addresses of Panorama
administrators (only) to prevent unauthorized access. |