>
    Strata Copilot
    Configure a Layer 2 Interface
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Configure Interfaces
    4. Layer 2 Interfaces
    5. Configure a Layer 2 Interface
    Download PDF
    Next-Generation Firewall

    Configure a Layer 2 Interface

    Table of Contents

    Configure a Layer 2 Interface

    Configure a Layer2 interface for switching; this task is for when you aren't using VLANs.
    Where Can I Use This?What Do I Need?
    • NGFW
    One of these licenses when using Strata Cloud Manager:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    Configure a Layer 2 interface on the firewall so it can act as a switch in your layer 2 network (not at the edge of the network). The Layer 2 hosts are probably geographically close to each other and belong to a single broadcast domain. The firewall provides security between the Layer 2 hosts when you assign the interfaces to security zones and apply security rules to the zones.
    The hosts communicate with the firewall and each other at Layer 2 of the OSI model by exchanging frames. A frame contains an Ethernet header that includes a source and destination Media Access Control (MAC) address, which is a physical hardware address. MAC addresses are 48-bit hexadecimal numbers formatted as six octets separated by a colon or hyphen (for example, 00-85-7E-46-F1-B2).
    The following figure has a firewall with three Layer 2 interfaces that each connect to a Layer 2 host in a one-to-one mapping.
    The firewall begins with an empty MAC table. When the host with source address 0A-76-F2-60-EA-83 sends a frame to the firewall, the firewall doesn’t have destination address 0B-68-2D-05-12-76 in its MAC table, so it doesn’t know which interface to forward the frame to; it broadcasts the frame to all of its Layer 2 interfaces. The firewall puts source address 0A-76-F2-60-EA-83 and associated Eth1/1 into its MAC table.
    The host at 0C-71-D4-E6-13-44 receives the broadcast, but the destination MAC address is not its own MAC address, so it drops the frame.
    The receiving interface Ethernet 1/2 forwards the frame to its host. When host 0B-68-2D-05-12-76 responds, it uses the destination address 0A-76-F2-60-EA-83, and the firewall adds to its MAC table Ethernet 1/2 as the interface to reach 0B-68-2D-05-12-76.
    Configure a Layer 2 interface with no VLANs when you want Layer 2 switching and you don’t need to separate traffic among VLANs.

    Configure a Layer 2 Interface (PAN-OS)

    Procedure for configuring a Layer 2 interface in PAN-OS and Panorama.
    1. Configure a Layer 2 interface.
      1. Select NetworkInterfacesEthernet and select an interface. The Interface Name is fixed, such as ethernet1/1.
      2. For Interface Type, select Layer2.
      3. Select the Config tab and assign the interface to a Security Zone or create a New Zone.
      4. Configure additional Layer 2 interfaces on the firewall that connect to other Layer 2 hosts.
    2. Commit.
      Click OK and Commit.

    Configure a Layer 2 Interface (SCM)

    Procedure for creating a Layer 2 interface in Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsInterfacesEthernetConfigurationNGFW and Prisma AccessDevice SettingsInterfacesEthernet and select the Configuration Scope where you want to create the Layer 2 interface.
      Select a firewall from your Folders or select Snippets to configure the Layer 2 interface in a snippet.
      If you select a folder or select a snippet, you create a Layer 2 interface variable that must be assigned at the device level.
    3. Add the interface.
      If you’re configuring a Layer 2 interface for a specific firewall, select the interface you want to configure instead.
      • Folders and SnippetsAdd Interface and select Interface.
      • FirewallsAdd and Add Interface.
    4. Configure the interface.
      If you’re configuring an interface in the folder or snippet scope, the interface configuration is pushed only to firewalls that have the corresponding interface slot available. For example, if you configure Ethernet 1/5 in the folder scope and the firewall associated with the folder has only four interface slots, then the configuration isn’t pushed to the firewall.
      1. Select the interface Slot.
      2. Select the Interface Name.
        When you configure an interface for a specific firewall, the Interface Name is fixed, such as ethernet1/1 if you select Slot 1. The fixed interface names are dependent on the slot that you selected in the previous step.
      3. (Folders and Snippets only) Select the Default Interface Assignment.
      4. (Optional) Enter a Description.
      5. For Interface Type, select Layer2.
      6. (Folders and Snippets only, Optional) Assign Interface to VLAN Tag to add the interface to a VLAN.
      7. (Folders and Snippets only; Recommended) Assign the interface to a Zone.
        Create New to create a new zone. See Zone Protection and DoS Protection for more information.
        Selecting an inherited zone overrides the previous settings and removes any inherited objects. Any changes made to the global folder are no longer inherited in a top-down manner. A message appears, indicating that the interface settings will be overridden and the inherited objects from the parent folder will be removed on all firewalls. When you save your changes, a confirmation message appears. If you confirm, the zone is overridden.
    5. (Optional) Configure the interface link settings.
      1. Select the interface Link Speed.
        Auto is selected by default and allows the firewall to determine the speed.
      2. Select the interface Link Duplex transmission mode.
        Auto is selected by default to allow the firewall to negotiate the transmission mode automatically.
      3. Select the interface Link State.
        Auto detect is selected by default to allow the firewall to determine the link state.
    6. Save.
    7. Create a Security policy rule to allow the traffic through the tap interface.
      When creating a Security policy rule for a tap interface, both the source zone and destination zone must be the same.
      1. Select ManageConfigurationSecurity ServicesSecurity PolicyConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy and Add Rule.
      2. For the Source, Add Zones and select the zone you created in the previous step.
      3. For the Destination, Add Zones and select the zone you created in the previous step.
      4. Set all of the Security policy rule match criteria (Applications, User, Service, Address) to any.
      5. For the Action and Advanced Inspection, set the Action to Allow.
      6. Expand the Advanced Settings and for the Log Settings, set Log at Session End.
      7. Save.
    8. Push Config to push your configuration changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.