1. Home
    2. PAN-OS
    3. PAN-OS 7.1 Web Interface Reference Guide
    4. Network
    5. Network > Interfaces
    Previous
    Next
    Firewall interfaces (ports) enable a firewall to connect with other network devices and with other interfaces within the firewall. The following topics describe the interface types and how to configure them.
    What do you want to know? See:
    What are firewall interfaces? Firewall Interfaces Overview
    I am new to firewall interfaces; what are the components of a firewall interface? Common Building Blocks for Firewall Interfaces
    Common Building Blocks for PA-7000 Series Firewall Interfaces
    I already understand firewall interfaces; how can I find information on configuring a specific interface type? Physical Interfaces (Ethernet) Layer 2 Interface Layer 2 Subinterface Layer 3 Interface Layer 3 Subinterface Virtual Wire Interface Virtual Wire Subinterface Tap Interface Log Card Interface Log Card Subinterface Decrypt Mirror Interface Aggregate Ethernet (AE) Interface Group Aggregate Ethernet (AE) Interface HA Interface Logical Interfaces Network > Interfaces > VLAN Network > Interfaces > Loopback Network > Interfaces > Tunnel
    Looking for more? Networking
    Firewall Interfaces Overview
    The interface configurations of firewall data ports enable traffic to enter and exit the firewall. A Palo Alto Networks firewall can operate in multiple deployments simultaneously because you can configure the interfaces to support different deployments. For example, you can configure the Ethernet interfaces on a firewall for virtual wire, Layer 2, Layer 3, and tap mode deployments . The interfaces that the firewall supports are:
    Physical Interfaces —The firewall supports two kinds of Ethernet—copper and fiber optic—that can send and receive traffic at different transmission rates. You can configure Ethernet interfaces as the following types—tap, high availability (HA), log card (interface and subinterface), decrypt mirror, virtual wire (interface and subinterface), Layer 2 (interface and subinterface), Layer 3 (interface and subinterface), and aggregate Ethernet. The available interface types and transmission speeds vary by hardware model. Logical Interfaces —These include virtual local area network (VLAN) interfaces, loopback interfaces, and tunnel interfaces. You must set up the physical interface before defining a VLAN or a tunnel interface.
    Common Building Blocks for Firewall Interfaces
    Select Network > Interfaces to display and configure the components that are common to most interface types.
    		 For a description of components that are unique or different when you configure interfaces on a PA-7000 Series firewall, or when you use Panorama™ to configure interfaces on any firewall, see Common Building Blocks for PA-7000 Series Firewall Interfaces.
    Firewall Interface Building Block Description
    Interface (Interface Name) The interface name is predefined and you cannot change it. However, you can append a numeric suffix for subinterfaces, aggregate interfaces, VLAN interfaces, loopback interfaces, and tunnel interfaces.
    Interface Type For Ethernet interfaces ( Network > Interfaces > Ethernet), you can select the interface type: Tap HA Decrypt Mirror (PA-7000 Series, PA-5000 Series, and PA-3000 Series firewalls only) Virtual Wire Layer 2 Layer 3 Log Card (PA-7000 Series firewall only) Aggregate Ethernet
    Management Profile Select a Management Profile ( Network > Interfaces > <if-config> Advanced > Other Info) that defines the protocols (such as SSH, Telnet, and HTTP) you can use to manage the firewall over this interface.
    Link State For Ethernet interfaces, Link State indicates whether the interface is currently accessible and can receive traffic over the network: Green—Configured and up Red—Configured but down or disabled Gray—Not configured Hover over the link state to display a tool tip that indicates the link speed and duplex settings for that interface.
    IP Address (Optional) Configure the IPv4 or IPv6 address of the Ethernet, VLAN, loopback, or tunnel interface. For an IPv4 address, you can also select the addressing mode ( Type) for the interface— Static, DHCP Client, or PPPoE.
    Virtual Router Assign a virtual router to the interface or click Virtual Router to define a new one (see Network > Virtual Routers). Select None to remove the current virtual router assignment from the interface.
    Tag ( Subinterface only ) Enter the VLAN tag (1-4,094) for the subinterface.
    VLAN Select Network > Interfaces > VLAN and modify an existing VLAN or Add a new one (see Network > VLANs). Select None to remove the current VLAN assignment from the interface. To enable switching between Layer 2 interfaces, or to enable routing through a VLAN interface, you must configure a VLAN object.
    Virtual System If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system (vsys) for the interface or click Virtual System to define a new vsys.
    Security Zone Select a Security Zone ( Network > Interfaces > <if-config> > Config) for the interface, or select Zone to define a new one. Select None to remove the current zone assignment from the interface.
    Features For Ethernet interfaces, this column indicates whether the following features are enabled: —GlobalProtect gateway —Link Aggregation Control Protocol (LACP) —Quality of Service (QoS) profile —Link Layer Discovery Protocol (LLDP) —NetFlow profile —Dynamic Host Configuration Protocol (DHCP) client—The interface acts as a DHCP client and receives a dynamically assigned IP address.
    Comment A description of the interface function or purpose.
    Common Building Blocks for PA-7000 Series Firewall Interfaces
    The following table describes the components of the Network > Interfaces > Ethernet page that are unique or different when you configure interfaces on a PA-7000 Series firewall, or when you use Panorama to configure interfaces on any firewall. Click Add Interface to create a new interface or select an existing interface (ethernet1/1, for example) to edit it.
    		 On PA-7000 Series firewalls, if you configure log forwarding on the firewall, you must configure one data port as a Log Card Interface.
    PA-7000 Series Firewall Interface Building Block Description
    Slot Select the slot number (1-12) of the interface. Only PA-7000 Series firewalls have multiple slots. If you use Panorama to configure an interface for any other firewall platform, select Slot 1.
    Interface (Interface Name) Select the name of an interface that is associated with the selected Slot.
    Layer 2 Interface
    Network > Interfaces > Ethernet
    Select Network > Interfaces > Ethernet to configure a Layer 2 interface. click the name of an Interface (ethernet1/1, for example) that is not configured and specify the following information.
    Layer 2 Interface Setting Configured In Description
    Interface Name Ethernet Interface The interface name is predefined and you cannot change it.
    Comment Enter an optional description for the interface.
    Interface Type Select Layer2.
    Netflow Profile If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click Netflow Profile to define a new profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the interface. The PA-4000 Series and PA-7000 Series firewalls don’t support this feature.
    VLAN Ethernet Interface > Config To enable switching between Layer 2 interfaces or to enable routing through a VLAN interface, select an existing VLAN or click VLAN to define a new VLAN (see Network > VLANs). Select None to remove the current VLAN assignment from the interface.
    Virtual System If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system for the interface or click Virtual System to define a new vsys.
    Security Zone Select a Security Zone for the interface or click Zone to define a new zone. Select None to remove the current zone assignment from the interface.
    Link Speed Ethernet Interface > Advanced Select the interface speed in Mbps ( 10, 100, or 1000) or select auto to have the firewall automatically determine the speed.
    Link Duplex Select whether the interface transmission mode is full-duplex ( full), half-duplex ( half), or negotiated automatically ( auto).
    Link State Select whether the interface status is enabled ( up), disabled ( down), or determined automatically ( auto).
    Enable LLDP Ethernet Interface > Advanced > LLDP Select this option to enable Link Layer Discovery Protocol (LLDP) on the interface. LLDP functions at the link layer to discover neighboring devices and their capabilities.
    Profile If LLDP is enabled, select an LLDP profile to assign to the interface or click LLDP Profile to create a new profile (see Network > Network Profiles > LLDP Profile). Select None to configure the firewall to use global defaults.
    Enable in HA Passive State If LLDP is enabled, select this option to allow an HA passive firewall to pre-negotiate LLDP with its peer before the firewall becomes active.
    Layer 2 Subinterface
    Network > Interfaces > Ethernet
    For each Ethernet port configured as a physical Layer 2 interface, you can define an additional logical Layer 2 interface (subinterface) for each VLAN tag assigned to the traffic that the port receives. To enable switching between Layer 2 subinterfaces, assign the same VLAN object to the subinterfaces.
    To configure a Layer 2 Interface, select the row of that physical Interface, click Add Subinterface, and specify the following information.
    Layer 2 Subinterface Setting Description
    Interface Name The read-only Interface Name displays the name of the physical interface you selected. In the adjacent field, enter a numeric suffix (1-9,999) to identify the subinterface.
    Comment Enter an optional description for the subinterface.
    Tag Enter the VLAN tag (1-4,094) for the subinterface.
    Netflow Profile If you want to export unidirectional IP traffic that traverses an ingress subinterface to a NetFlow server, select the server profile or click Netflow Profile to define a new profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the subinterface. The PA-4000 Series and PA-7000 Series firewalls don’t support this feature.
    VLAN To enable switching between Layer 2 interfaces or to enable routing through a VLAN interface, select a VLAN, or click VLAN to define a new VLAN (see Network > VLANs). Select None to remove the current VLAN assignment from the subinterface.
    Virtual System If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system (vsys) for the subinterface or click Virtual System to define a new vsys.
    Security Zone Select a security zone for the subinterface or click Zone to define a new zone. Select None to remove the current zone assignment from the subinterface.
    Layer 3 Interface
    Network > Interfaces > Ethernet
    To configure a Layer 3 interface, click the name of an Interface (ethernet1/1, for example) that is not configured and specify the following information.
    Layer 3 Interface Setting Configured In Description
    Interface Name Ethernet Interface The interface name is predefined and you cannot change it.
    Comment Enter an optional description for the interface.
    Interface Type Select Layer3.
    Netflow Profile If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click Netflow Profile to define a new profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the interface. The PA-4000 Series and PA-7000 Series firewalls don’t support this feature.
    Virtual Router Ethernet Interface > Config Select a virtual router, or click Virtual Router to define a new one (see Network > Virtual Routers). Select None to remove the current virtual router assignment from the interface.
    Virtual System If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system (vsys) for the interface or click Virtual System to define a new vsys.
    Security Zone Select a security zone for the interface or click Zone to define a new zone. Select None to remove the current zone assignment from the interface.
    Link Speed Ethernet Interface > Advanced Select the interface speed in Mbps ( 10, 100, or 1000) or select auto.
    Link Duplex Select whether the interface transmission mode is full-duplex ( full), half-duplex ( half), or negotiated automatically ( auto).
    Link State Select whether the interface status is enabled ( up), disabled ( down), or determined automatically ( auto).
    Management Profile Ethernet Interface > Advanced > Other Info Select a profile that defines the protocols (for example, SSH, Telnet, and HTTP) you can use to manage the firewall over this interface. Select None to remove the current profile assignment from the interface.
    MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (576-9,192; default is 1,500). If machines on either side of the firewall perform Path MTU Discovery (PMTUD) and the interface receives a packet exceeding the MTU, the firewall returns an ICMP fragmentation needed message to the source indicating the packet is too large.
    Adjust TCP MSS Select this option to adjust the maximum segment size (MSS) to accommodate bytes for any headers within the interface MTU byte size. The MTU byte size minus the MSS Adjustment Size equals the MSS byte size, which varies by IP protocol: IPv4 MSS Adjustment Size —Range is 40-300; default is 40. IPv6 MSS Adjustment Size —Range is 60-300; default is 60. Use these settings to address the case where a tunnel through the network requires a smaller MSS. If a packet has more bytes than the MSS without fragmentation, this setting enables the adjustment. Encapsulation adds length to headers so it is helpful to configure the MSS adjustment size to allow bytes for such things as an MPLS header or tunneled traffic that has a VLAN tag.
    Untagged Subinterface Specifies that all subinterfaces belonging to this Layer 3 interface are untagged. PAN-OS® selects an untagged subinterface as the ingress interface based on the packet destination. If the destination is the IP address of an untagged subinterface, it maps to the subinterface. This also means that packets in the reverse direction must have their source address translated to the IP address of the untagged subinterface. A byproduct of this classification mechanism is that all multicast and broadcast packets are assigned to the base interface, not any subinterfaces. Because Open Shortest Path First (OSPF) uses multicast, the firewall does not support it on untagged subinterfaces.
    IP Address MAC Address Ethernet Interface > Advanced > ARP Entries To add one or more static Address Resolution Protocol (ARP) entries, click Add and enter an IP address and its associated hardware (MAC) address. To delete an entry, select the entry and click Delete. Static ARP entries reduce ARP processing and preclude man-in-the-middle attacks for the specified addresses.
    IPv6 Address MAC Address Ethernet Interface > Advanced > ND Entries To provide neighbor information for Neighbor Discovery Protocol (NDP), click Add and enter the IP address and MAC address of the neighbor.
    Enable NDP Proxy Ethernet Interface > Advanced > NDP Proxy Select this option to enable the Neighbor Discovery Protocol (NDP) proxy for the interface. The firewall will respond to ND packets requesting MAC addresses for IPv6 addresses in this list. In the ND response, the firewall sends its own MAC address for the interface to indicate it will act as proxy by responding to packets destined for those addresses. It is recommended that you select Enable NDP Proxy if you use Network Prefix Translation IPv6 (NPTv6). If Enable NDP Proxy is selected, you can filter numerous Address entries by entering a search string and clicking Apply Filter ( ).
    Address Click Add to enter one or more IPv6 addresses, IP ranges, IPv6 subnets, or address objects for which the firewall will act as the NDP proxy. Ideally, one of these addresses is the same address as that of the source translation in NPTv6. The order of addresses does not matter. If the address is a subnetwork, the firewall will send an ND response for all addresses in the subnet, so we recommend that you also add the IPv6 neighbors of the firewall and then select Negate to instruct the firewall not to respond to these IP addresses.
    Negate Select Negate for an address to prevent NDP proxy for that address. You can negate a subset of the specified IP address range or IP subnet.
    Enable LLDP Ethernet Interface > Advanced > LLDP Select to enable Link Layer Discovery Protocol (LLDP) on the interface. LLDP functions at the link layer to discover neighboring devices and their capabilities.
    LLDP Profile If LLDP is enabled, select an LLDP profile to assign to the interface or click LLDP Profile to create a new profile (see Network > Network Profiles > LLDP Profile). Select None to configure the firewall to use global defaults.
    Enable in HA Passive State If LLDP is enabled, select this option to allow the firewall as an HA passive firewall to pre-negotiate LLDP with its peer before the firewall becomes active.
    For an IPv4 address
    Type Ethernet Interface > IPv4 Select the method for assigning an IPv4 address type to the interface: Static —You must manually specify the IP address. PPPoE —The firewall will use the interface for Point-to-Point Protocol over Ethernet (PPPoE). DHCP Client —Enables the interface to act as a Dynamic Host Configuration Protocol (DHCP) client and receive a dynamically assigned IP address. Firewalls that are in active/active high availability (HA) mode do not support PPPoE or DHCP Client. Based on your IP address method selection, the options displayed in the tab will vary.
    IPv4 address Type = Static
    IP Ethernet Interface > IPv4 Click Add, then perform one of the following steps to specify a static IP address and network mask for the interface. Type the entry in Classless Inter-domain Routing (CIDR) notation using the format ip_address/mask. IPv4 example: 192.168.2.0/24 IPv6 example: 2001:db8::/32 Select an existing address object of type IP netmask. Click Address to create an address object of type IP netmask. You can enter multiple IP addresses for the interface. The forwarding information base (FIB) your firewall uses determines the maximum number of IP addresses. To delete an IP address, select the address and click Delete.
    IPv4 address Type = PPPoE
    Enable Ethernet Interface > IPv4 > PPPoE > General Select this option to activate the interface for PPPoE termination.
    Username Enter the user name for the point-to-point connection.
    Password/Confirm Password Enter and then confirm the password for the user name.
    Show PPPoE Client Runtime Info (Optional) Opens a dialog that displays parameters that the firewall negotiated with the Internet service provider (ISP) to establish a connection. The specific information depends on the ISP.
    Authentication Ethernet Interface > IPv4 > PPPoE > Advanced Select the authentication protocol for PPPoE communications— CHAP (Challenge-Handshake Authentication Protocol), PAP (Password Authentication Protocol), or the default Auto (the firewall determines the protocol). Select None to remove the current protocol assignment from the interface.
    Static Address Perform one of the following steps to specify the IP address that the Internet service provider assigned (no default value): Type the entry in Classless Inter-domain Routing (CIDR) notation using the format ip_address/mask. IPv4 example: 192.168.2.0/24 IPv6 example: 2001:db8::/32 Select an existing address object of type IP netmask. Click Address to create an address object of type IP netmask. Select None to remove the current address assignment from the interface.
    Automatically create default route pointing to peer Select this option to automatically create a default route that points to the PPPoE peer when connected.
    Default Route Metric (Optional) For the route between the firewall and Internet service provider, enter a route metric (priority level) to associate with the default route and to use for path selection (range is 1-65,535). The priority level increases as the numeric value decreases.
    Access Concentrator (Optional) Enter the name of the access concentrator on the Internet service provider end to which the firewall connects (no default).
    Service (Optional) Enter the service string (no default).
    Passive Select this option to use passive mode. In passive mode, a PPPoE end point waits for the access concentrator to send the first frame.
    IPv4 address Type = DHCP
    Enable Ethernet Interface > IPv4 Activate the DHCP client on the interface.
    Automatically create default route pointing to default gateway provided by server Automatically create a default route that points to the default gateway that the DHCP server provides.
    Default Route Metric For the route between the firewall and DHCP server, optionally enter a route metric (priority level) to associate with the default route and to use for path selection (range is 1-65,535, no default). The priority level increases as the numeric value decreases.
    Show DHCP Client Runtime Info Display all settings received from the DHCP server, including DHCP lease status, dynamic IP address assignment, subnet mask, gateway, and server settings (DNS, NTP, domain, WINS, NIS, POP3, and SMTP).
    For an IPv6 address
    Enable IPv6 on the interface Ethernet Interface > IPv6 Enable IPv6 addressing on this interface.
    Interface ID Enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the Use interface ID as host portion option when adding an address, the firewall uses the interface ID as the host portion of that address.
    Address Add one or more IPv6 address and configure the following settings: Address —Enter an IPv6 address and prefix length (such as 2001:400:f00::1/64). You can also select an existing IPv6 address object or click Address to create an address object. Enable address on interface —Select to enable the IPv6 address on the interface. Use interface ID as host portion —Select to use the Interface ID as the host portion of the IPv6 address. Anycast —Select to include routing through the nearest node. Send Router Advertisement —Select this option to enable router advertisement (RA) for this IP address. (You must also enable the global Enable Router Advertisement option on the interface.) For details on RA, see Enable Router Advertisement in this table.The remaining fields only apply if you enable RA. Valid Lifetime —The length of time (in seconds) that the firewall considers the address as valid. The valid lifetime must equal or exceed the Preferred Lifetime. The default is 2,592,000. Preferred Lifetime —The length of time (in seconds) that the valid address is preferred, which means the firewall can use it to send and receive traffic. After the preferred lifetime expires, the firewall cannot use the address to establish new connections but any existing connections are valid until the Valid Lifetime expires. The default is 604,800. On-link —Select this option if systems that have addresses within the prefix are reachable without a router. Autonomous —Select if systems can independently create an IP address by combining the advertised prefix with an interface ID.
    Enable Duplication Address Detection Select to enable duplicate address detection ( DAD), then configure the other fields in this section.
    DAD Attempts Specify the number of DAD attempts within the neighbor solicitation interval ( NS Interval) before the attempt to identify neighbors fails (range is 1-10; default is 1).
    Reachable Time Specify the length of time (in seconds) that a neighbor remains reachable after a successful query and response (range is 10-36,000; default is 30).
    NS Interval (neighbor solicitation interval) Specify the number of seconds for DAD attempts before failure is indicated (range is 1-10; default is 1).
    Enable Router Advertisement Ethernet Interface > IPv6 (cont) To provide stateless address auto-configuration (SLAAC) on IPv6 interfaces, select and configure this option. Clients that receive the router advertisement (RA) messages use this information. RA enables the firewall to act as a default gateway for IPv6 hosts that are not statically configured and to provide the host with an IPv6 prefix for address configuration. You can use a separate DHCPv6 server in conjunction with this feature to provide DNS and other settings to clients. This is a global setting for the interface. If you want to set RA options for individual IP addresses, Add and configure the address in the IP address table. If you set RA options for any IP address, you must select the Enable Router Advertisement option for the interface.
    Min Interval (sec) Specify the minimum interval (in seconds) between RAs that the firewall will send (range is 3-1,350; default is 200). The firewall will send RAs at random intervals between the minimum and maximum values.
    Max Interval (sec) Specify the maximum interval (in seconds) between RAs that the firewall will send (range is 4-1,800; default is 600). The firewall will send RAs at random intervals between the minimum and maximum values.
    Hop Limit Specify the hop limit to apply to clients for outgoing packets (range is 1-255; default is 64). Enter 0 for no hop limit.
    Link MTU Specify link maximum transmission unit (MTU) to apply to clients. Select unspecified for no link MTU (range is 1,280-9,192; default is unspecified).
    Reachable Time (ms) Specify the reachable time (in milliseconds) that the client will use to assume a neighbor is reachable after receiving a reachability confirmation message. Select unspecified for no reachable time value (range is 0-3,600,000; default is unspecified).
    Retrans Time (ms) Specify the retransmission timer that determines how long the client will wait (in milliseconds) before retransmitting neighbor solicitation messages. Select unspecified for no retransmission time (range is 0-4,294,967,295; default is unspecified).
    Router Lifetime (sec) Specify how long (in seconds) the client will use the firewall as the default gateway (range is 0-9,000; default is 1,800). Zero specifies that the firewall is not the default gateway. When the lifetime expires, the client removes the firewall entry from its Default Router List and uses another router as the default gateway.
    Router Preference If the network segment has multiple IPv6 routers, the client uses this field to select a preferred router. Select whether the RA advertises the firewall router as having a High, Medium (default), or Low priority relative to other routers on the segment.
    Managed Configuration Indicate to the client that addresses are available via DHCPv6.
    Other Configuration Select this option to indicate to the client that other address information (for example, DNS-related settings) is available via DHCPv6.
    Consistency Check Select this option if you want the firewall to verify that RAs sent from other routers are advertising consistent information on the link. The firewall logs any inconsistencies.
    Layer 3 Subinterface
    Network > Interfaces > Ethernet
    For each Ethernet port configured as a physical Layer 3 interface, you can define additional logical Layer 3 interfaces (subinterfaces).
    To configure a Layer 3 Interface, select the row of that physical Interface, click Add Subinterface, and specify the following information.
    Layer 3 Subinterface Setting Configured In Description
    Interface Name Layer3 Subinterface The read-only Interface Name field displays the name of the physical interface you selected. In the adjacent field, enter a numeric suffix (1-9,999) to identify the subinterface.
    Comment Enter an optional description for the subinterface.
    Tag Enter the VLAN tag (1-4,094) for the subinterface.
    Netflow Profile If you want to export unidirectional IP traffic that traverses an ingress subinterface to a NetFlow server, select the server profile or click Netflow Profile to define a new profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the subinterface. The PA-4000 Series and PA-7000 Series firewalls don’t support this feature.
    Virtual Router Layer3 Subinterface > Config Assign a virtual router to the interface, or click Virtual Router to define a new one (see Network > Virtual Routers). Select None to remove the current virtual router assignment from the interface.
    Virtual System If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system (vsys) for the subinterface or click Virtual System to define a new vsys.
    Security Zone Select a security zone for the subinterface, or click Zone to define a new zone. Select None to remove the current zone assignment from the subinterface.
    Management Profile Layer3 Subinterface > Advanced > Other Info Management Profile —Select a profile that defines the protocols (for example, SSH, Telnet, and HTTP) you can use to manage the firewall over this interface. Select None to remove the current profile assignment from the interface.
    MTU Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (576-9,192; default is 1,500). If machines on either side of the firewall perform Path MTU Discovery (PMTUD) and the interface receives a packet exceeding the MTU, the firewall returns an ICMP fragmentation needed message to the source indicating the packet is too large.
    Adjust TCP MSS Select this option to adjust the maximum segment size (MSS) to accommodate bytes for any headers within the interface MTU byte size. The MTU byte size minus the MSS Adjustment Size equals the MSS byte size, which varies by IP protocol: IPv4 MSS Adjustment Size —Range is 40-300; default is 40. IPv6 MSS Adjustment Size —Range is 60-300; default is 60. Use these settings to address the case where a tunnel through the network requires a smaller MSS. If a packet has more bytes than the MSS without fragmentation, this setting enables the adjustment. Encapsulation adds length to headers so it helps to configure the MSS adjustment size to allow bytes for such things as an MPLS header or tunneled traffic that has a VLAN tag.
    IP Address MAC Address Layer3 Subinterface > Advanced > ARP Entries To add one or more static Address Resolution Protocol (ARP) entries, Add an IP address and its associated hardware (MAC) address. To delete an entry, select the entry and click Delete. Static ARP entries reduce ARP processing and preclude man-in-the-middle attacks for the specified addresses.
    IPv6 Address MAC Address Layer3 Subinterface > Advanced > ND Entries To provide neighbor information for Neighbor Discovery Protocol (NDP), Add the IP address and MAC address of the neighbor.
    Enable NDP Proxy Layer3 Subinterface > Advanced > NDP Proxy Click to enable Neighbor Discovery Protocol (NDP) proxy for the interface. The firewall will respond to ND packets requesting MAC addresses for IPv6 addresses in this list. In the ND response, the firewall sends its own MAC address for the interface so that the firewall will receive the packets meant for the addresses in the list. It is recommended that you enable NDP proxy if you are using Network Prefix Translation IPv6 (NPTv6). If you selected Enable NDP Proxy, you can filter numerous Address entries by entering a filter and clicking Apply Filter (gray arrow).
    Address Click Add to enter one or more IPv6 addresses, IP ranges, IPv6 subnets, or address objects for which the firewall will act as NDP proxy. Ideally, one of these addresses is the same address as that of the source translation in NPTv6. The order of addresses does not matter. If the address is a subnetwork, the firewall will send an ND response for all addresses in the subnet, so we recommend you also add the IPv6 neighbors of the firewall and then click Negate to instruct the firewall not to respond to these IP addresses.
    Negate Select Negate for an address to prevent NDP proxy for that address. You can negate a subset of the specified IP address range or IP subnet.
    For an IPv4 address
    Type Layer3 Subinterface > IPv4 Select the method for assigning an IPv4 address type to the subinterface: Static —You must manually specify the IP address. DHCP Client —Enables the subinterface to act as a Dynamic Host Configuration Protocol (DHCP) client and receive a dynamically assigned IP address. Firewalls that are in active/active high availability (HA) mode don’t support DHCP Client. Based on your IP address method selection, the options displayed in the tab will vary.
    IPv4 address Type = Static
    IP Layer3 Subinterface > IPv4 Click Add, then perform one of the following steps to specify a static IP address and network mask for the interface. Type the entry in Classless Inter-domain Routing (CIDR) notation using the format ip_address/mask. IPv4 example: 192.168.2.0/24 IPv6 example: 2001:db8::/32 Select an existing address object of type IP netmask. Click Address to create an address object of type IP netmask. You can enter multiple IP addresses for the interface. The forwarding information base (FIB) your system uses determines the maximum number of IP addresses. To delete an IP address, select the address and click Delete.
    IPv4 address Type = DHCP
    Enable Layer3 Subinterface > IPv4 Select this option to activate the DHCP client on the interface.
    Automatically create default route pointing to default gateway provided by server Select this option to automatically create a default route that points to the default gateway that the DHCP server provides.
    Default Route Metric (Optional) For the route between the firewall and DHCP server, you can enter a route metric (priority level) to associate with the default route and to use for path selection (range is 1-65535; there is no default). The priority level increases as the numeric value decreases.
    Show DHCP Client Runtime Info Select Show DHCP Client Runtime Info to display all settings received from the DHCP server, including DHCP lease status, dynamic IP address assignment, subnet mask, gateway, and server settings (DNS, NTP, domain, WINS, NIS, POP3, and SMTP).
    For an IPv6 address
    Enable IPv6 on the interface Layer3 Subinterface > IPv6 Select this option to enable IPv6 addressing on this interface.
    Interface ID Enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the Use interface ID as host portion option when adding an address, the firewall uses the interface ID as the host portion of that address.
    Address Layer3 Subinterface > IPv6 (cont) Click Add and configure the following parameters for each IPv6 address: Address —Enter an IPv6 address and prefix length (e.g. 2001:400:f00::1/64). You can also select an existing IPv6 address object or click Address to create an address object. Enable address on interface —Click to enable the IPv6 address on the interface. Use interface ID as host portion —Click to use the Interface ID as the host portion of the IPv6 address. Anycast —Click to include routing through the nearest node. Send Router Advertisement —Click to enable router advertisement (RA) for this IP address. (You must also enable the global Enable Router Advertisement option on the interface.) For details on RA, see Enable Router Advertisement in this table. The remaining fields apply only if you enable RA. Valid Lifetime —The length of time (in seconds) that the firewall considers the address as valid. The valid lifetime must equal or exceed the Preferred Lifetime. The default is 2,592,000. Preferred Lifetime —The length of time (in seconds) that the valid address is preferred, which means the firewall can use it to send and receive traffic. After the preferred lifetime expires, the firewall cannot use the address to establish new connections but any existing connections are valid until the Valid Lifetime expires. The default is 604,800. On-link —Click if systems that have addresses within the prefix are reachable without a router. Autonomous —Click if systems can independently create an IP address by combining the advertised prefix with an interface ID.
    Enable Duplication Address Detection Select this option to enable duplicate address detection ( DAD), then configure the other fields in this section.
    DAD Attempts Specify the number of DAD attempts within the neighbor solicitation interval ( NS Interval) before the attempt to identify neighbors fails (range is 1-10; default is 1).
    Reachable Time Specify the length of time (in seconds) that a neighbor remains reachable after a successful query and response (range is 1-36,000; default is 30).
    NS Interval (neighbor solicitation interval) Specify the number of seconds for DAD attempts before failure is indicated (range is 1-10; default is 1).
    Enable Router Advertisement Layer3 Subinterface > IPv6 (cont) To provide stateless address auto-configuration (SLAAC) on IPv6 interfaces, select this option and configure associated settings. Clients that receive the router advertisement (RA) messages use this information. RA enables the firewall to act as a default gateway for IPv6 hosts that are not statically configured and to provide the host with an IPv6 prefix for address configuration. You can use a separate DHCPv6 server in conjunction with this feature to provide DNS and other settings to clients. This option is a global setting for the interface. If you want to set RA options for individual IP addresses, click Add in the IP address table and configure the address. If you set RA options for any IP address, you must select the Enable Router Advertisement option for the interface.
    Min Interval (sec) Specify minimum interval (in seconds) between RAs the firewall will send (range is 3-1,350; default is 200). The firewall will send RAs at random intervals between the minimum and maximum values you configure.
    Max Interval (sec) Specify the maximum interval (in seconds) between RAs the firewall will send (range is 4-1,800; default is 600). The firewall will send RAs at random intervals between minimum and maximum values you configure.
    Hop Limit Specify the hop limit to apply to clients for outgoing packets (range is 1-255; default is 64). Enter 0 for no hop limit.
    Link MTU Specify link maximum transmission unit (MTU) to apply to clients. Select unspecified for no link MTU (range is 1,280-9,192; default is unspecified).
    Reachable Time (ms) Specify the reachable time (in milliseconds) that the client will use to assume a neighbor is reachable after receiving a reachability confirmation message. Select unspecified for no reachable time value (range is 0-3,600,000; default is unspecified).
    Retrans Time (ms) Specify the retransmission timer that determines how long the client will wait (in milliseconds) before retransmitting neighbor solicitation messages. Select unspecified for no retransmission time (range is 0-4,294,967,295; default is unspecified).
    Router Lifetime (sec) Specify how long (in seconds) the client will use the firewall as the default gateway (range is 0-9,000; default is 1,800). Zero specifies that the firewall is not the default gateway. When the lifetime expires, the client removes the firewall entry from its Default Router List and uses another router as the default gateway.
    Router Preference If the network segment has multiple IPv6 routers, the client uses this field to select a preferred router. Select whether the RA advertises the firewall router as having a High, Medium (default), or Low priority relative to other routers on the segment.
    Managed Configuration Select to indicate to the client that addresses are available via DHCPv6.
    Other Configuration Select this option to indicate to the client that other address information (for example, DNS-related settings) is available via DHCPv6.
    Consistency Check Select this option if you want the firewall to verify that RAs sent from other routers are advertising consistent information on the link. The firewall logs any inconsistencies.
    Virtual Wire Interface
    Network > Interfaces > Ethernet
    A virtual wire logically binds two Ethernet interfaces together, allowing for all traffic to pass between the interfaces, or just traffic with selected VLAN tags (no other switching or routing services are available). You can create virtual wire subinterfaces to classify traffic according to an IP address, IP range, or subnet. A virtual wire requires no changes to adjacent network devices. A virtual wire can bind two Ethernet interfaces of the same medium (both copper or both fiber optic), or bind a copper interface to a fiber optic interface.
    To set up a virtual wire, decide which two interfaces to bind ( Network > Interfaces > Ethernet) and configure their settings as described in the following table.
    		 If you are using an existing interface for the virtual wire, you must first remove the interface from any associated security zone.
    Virtual Wire Interface Setting Configured In Description
    Interface Name Ethernet Interface The interface name is predefined and you cannot change it.
    Comment Enter an optional description for the interface.
    Interface Type Select Virtual Wire.
    Virtual Wire Ethernet Interface > Config Select a virtual wire, or click Virtual Wire to define new Network > Virtual Wires. Select None to remove the current virtual wire assignment from the interface.
    Virtual System If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system for the interface or click Virtual System to define a new vsys.
    Security Zone Select a security zone for the interface, or click Zone to define a new zone. Select None to remove the current zone assignment from the interface.
    Link Speed Ethernet Interface > Advanced Select a specific interface speed in Mbps or select auto to have the firewall automatically determine the speed. Both interfaces in the virtual wire must have the same speed.
    Link Duplex Select whether the interface transmission mode is full-duplex ( full), half-duplex ( half), or negotiated automatically ( auto). Both interfaces in the virtual wire must have the same transmission mode.
    Link State Select whether the interface status is enabled ( up), disabled ( down), or determined automatically ( auto).
    Enable LLDP Ethernet Interface > Advanced > LLDP Select this option to enable Link Layer Discovery Protocol (LLDP) on the interface. LLDP functions at the link layer to discover neighboring devices and their capabilities.
    Profile If LLDP is enabled, select an LLDP profile to assign to the interface or click LLDP Profile to create a new profile (see Network > Network Profiles > LLDP Profile). Select None to configure the firewall to use global defaults.
    Enable in HA Passive State If LLDP is enabled, select this option to configure an HA passive firewall to pre-negotiate LLDP with its peer before the firewall becomes active. If LLDP is not enabled, select this option to configure an HA passive firewall to simply pass LLDP packets through the firewall.
    Virtual Wire Subinterface
    Network > Interfaces > Ethernet
    Virtual wire (vwire) subinterfaces allow you to separate traffic by VLAN tags or a VLAN tag and IP classifier combination, assign the tagged traffic to a different zone and virtual system, and then enforce security policies for the traffic that matches the defined criteria.
    To add a Virtual Wire Interface select the row for that interface, click Add Subinterface, and specify the following information.
    Virtual Wire Subinterface Setting Description
    Interface Name The read-only Interface Name displays the name of the vwire interface you selected. In the adjacent field, enter a numeric suffix (1-9999) to identify the subinterface.
    Comment Enter an optional description for the subinterface.
    Tag Enter the VLAN tag (0-4,094) for the subinterface.
    Netflow Profile If you want to export unidirectional IP traffic that traverses an ingress subinterface to a NetFlow server, select the server profile or click Netflow Profile to define a new profile (see Device > Server Profiles > NetFlow). Selecting None removes the current NetFlow server assignment from the subinterface. The PA-4000 Series and PA-7000 Series firewalls don’t support this feature.
    IP Classifier Click Add and enter an IP address, IP range, or subnet to classify the traffic on this vwire subinterface.
    Virtual Wire Select a virtual wire, or click Virtual Wire to define a new one (see Network > Virtual Wires). Select None to remove the current virtual wire assignment from the subinterface.
    Virtual System If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system (vsys) for the subinterface or click Virtual System to define a new vsys.
    Security Zone Select a security zone for the subinterface, or click Zone to define a new zone. Select None to remove the current zone assignment from the subinterface.
    Tap Interface
    Network > Interfaces > Ethernet
    You can use a tap interface to monitor traffic on a port.
    To configure a tap interface, click the name of an Interface (ethernet1/1, for example) that is not configured and specify the following information.
    Tap Interface Setting Configured In Description
    Interface Name Ethernet Interface The interface name is predefined and you cannot change it.
    Comment Enter an optional description for the interface.
    Interface Type Select Tap.
    Netflow Profile If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click Netflow Profile to define a new profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the interface. The PA-4000 Series and PA-7000 Series firewalls don’t support this feature.
    Virtual System Ethernet Interface > Config If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system for the interface or click Virtual System to define a new vsys.
    Security Zone Select a security zone for the interface or click Zone to define a new zone. Select None to remove the current zone assignment from the interface.
    Link Speed Ethernet Interface > Advanced Select the interface speed in Mbps ( 10, 100, or 1000), or select auto to have the firewall automatically determine the speed.
    Link Duplex Select whether the interface transmission mode is full-duplex ( full), half-duplex ( half), or negotiated automatically ( auto).
    Link State Select whether the interface status is enabled ( up), disabled ( down), or determined automatically ( auto).
    Log Card Interface
    Network > Interfaces > Ethernet
    On PA-7000 Series firewalls, one data port must have an interface type of Log Card. This is because the traffic and logging capabilities of this platform exceed the capabilities of the management port. A log card data port performs log forwarding for syslog, email, Simple Network Management Protocol (SNMP), and WildFire™ file-forwarding. Only one port on the firewall can be a log card interface. If you enable log forwarding but do not configure any interface with the Log Card type, a commit error occurs.
    To configure a log card interface, click the name of an Interface (ethernet1/16, for example) that is not configured and specify the following information.
    Log Card Interface Setting Configured In Description
    Slot Ethernet Interface Select the slot number (1-12) of the interface.
    Interface Name The interface name is predefined and you cannot change it.
    Comment Enter an optional description for the interface.
    Interface Type Select Log Card.
    IPv4 Ethernet Interface > Log Card Forwarding If your network uses IPv4, define the following: IP address —The IPv4 address of the port. Netmask —The network mask for the IPv4 address of the port. Default Gateway —The IPv4 address of the default gateway for the port.
    IPv6 If your network uses IPv6, define the following: IP address —The IPv6 address of the port. Default Gateway —The IPv6 address of the default gateway for the port.
    Link Speed Ethernet Interface > Advanced Select the interface speed in Mbps ( 10, 100, or 1000) or select auto (default) to have the firewall automatically determine the speed based on the connection. For interfaces that have a non-configurable speed, auto is the only option. The minimum recommended speed for the connection is 1000 (Mbps).
    Link Duplex Select whether the interface transmission mode is full-duplex ( full), half-duplex ( half), or negotiated automatically based on the connection ( auto). The default is auto.
    Link State Select whether the interface status is enabled ( up), disabled ( down), or determined automatically based on the connection ( auto). The default is auto.
    Log Card Subinterface
    Network > Interfaces > Ethernet
    To add a Log Card Interface, select the row for that interface, Add Subinterface, and specify the following information.
    Log Card Subinterface Setting Configured In Description
    Interface Name LPC Subinterface Interface Name (read-only) displays the name of the log card interface you selected. In the adjacent field, enter a numeric suffix (1-9,999) to identify the subinterface.
    Comment Enter an optional description for the interface.
    Tag Enter the VLAN Tag (0-4,094) for the subinterface. It is a best practice to make the tag the same as the subinterface number for ease of use.
    Virtual System LPC Subinterface > Config Select the virtual system (vsys) to which the Log Processing Card (LPC) subinterface is assigned. Alternatively, you can click Virtual Systems to add a new vsys. Once an LPC subinterface is assigned to a vsys, that interface is used as the source interface for all services that forward logs (syslog, email, SNMP) from the log card.
    IPv4 Ethernet Interface > Log Card Forwarding If your network uses IPv4, define the following: IP address —The IPv4 address of the port. Netmask —The network mask for the IPv4 address of the port. Default Gateway —The IPv4 address of the default gateway for the port.
    IPv6 If your network uses IPv6, define the following: IP address —The IPv6 address of the port. Default Gateway —The IPv6 address of the default gateway for the port.
    Decrypt Mirror Interface
    Network > Interfaces > Ethernet
    To use the Decryption Port Mirror feature, you must select the Decrypt Mirror interface type. This feature enables creating a copy of decrypted traffic from a firewall and sending it to a traffic collection tool that can receive raw packet captures—such as NetWitness or Solera—for archiving and analysis. Organizations that require comprehensive data capture for forensic and historical purposes or data leak prevention (DLP) functionality require this feature. Decryption port mirroring is only available on PA-7000 Series firewalls, PA-5000 Series firewalls, and PA-3000 Series firewalls. To enable the feature, you must acquire and install the free license.
    To configure a decrypt mirror interface, click the name of an Interface (ethernet1/1, for example) that is not configured and specify the following information.
    Decrypt Mirror Interface Setting Description
    Interface Name The interface name is predefined and you cannot change it.
    Comment Enter an optional description for the interface.
    Interface Type Select Decrypt Mirror.
    Link Speed Select the interface speed in Mbps ( 10, 100, or 1000), or select auto to have the firewall automatically determine the speed.
    Link Duplex Select whether the interface transmission mode is full-duplex ( full), half-duplex ( half), or negotiated automatically ( auto).
    Link State Select whether the interface status is enabled ( up), disabled ( down), or determined automatically ( auto).
    Aggregate Ethernet (AE) Interface Group
    Network > Interfaces > Ethernet
    An AE interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into a single virtual interface that connects the firewall to another network device or another firewall. An AE interface group increases the bandwidth between peers by load balancing traffic across the combined interfaces. It also provides redundancy; when one interface fails, the remaining interfaces continue to support traffic.
    Before configuring an AE interface group, you must configure its interfaces. All the interfaces in an aggregate group must be the same with respect to bandwidth (1Gbps or 10Gbps) and interface type (HA3, virtual wire, Layer 2, or Layer 3). You can add up to eight AE interface groups per firewall and each group can have up to eight interfaces.
    		 All Palo Alto Networks firewalls except the PA-200 and VM-Series platforms support AE interface groups. You can aggregate the HA3 (packet forwarding) interfaces in a high availability (HA) active/active configuration but only on the PA-500, PA-3000 Series, PA-4000 Series, and PA-5000 Series firewalls.
    To configure an AE interface group, Add Aggregate Group, configure the settings in the following table, and then assign interfaces to the group (see Aggregate Ethernet (AE) Interface).
    Aggregate Interface Group Setting Configured In Description
    Interface Name Aggregate Ethernet Interface The read-only Interface Name is set to ae. In the adjacent field, enter a numeric suffix (1-8) to identify the AE interface group.
    Comment Enter an optional description for the interface.
    Interface Type Select the interface type, which controls the remaining configuration requirements and options: HA —Only select this option if the interface is an HA3 link between two firewalls in an active/active deployment. Optionally select a Netflow Profile and configure the LACP tab (see Enable LACP). Virtual Wire —Optionally select a Netflow Profile, and configure the Config and Advanced tabs as described in Virtual Wire Setting. Layer 2 —Optionally select a Netflow Profile ; configure the Config and Advanced tabs as described in Layer 2 Interface Setting ; and optionally configure the LACP tab (see Enable LACP). Layer 3 —Optionally select a Netflow Profile ; configure the Config, IPv4 or IPv6, and Advanced tabs as described in Layer 3 Interface Setting ; and optionally configure the LACP tab (see Enable LACP).
    Netflow Profile If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click Netflow Profile to define a new profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the AE interface group. The PA-4000 Series and PA-7000 Series firewalls don’t support this feature.
    Enable LACP Aggregate Ethernet Interface > LACP Select this option if you want to enable Link Aggregation Control Protocol (LACP) for the AE interface group. LACP is disabled by default. If you enable LACP, interface failure detection is automatic at the physical and data link layers regardless of whether the firewall and its LACP peer are directly connected. (Without LACP, interface failure detection is automatic only at the physical layer between directly connected peers). LACP also enables automatic failover to standby interfaces if you configure hot spares (see Max Ports).
    Mode Select the LACP mode of the firewall. Between any two LACP peers, it is recommended that one is active and the other is passive. LACP cannot function if both peers are passive. Active —The firewall actively queries the LACP status (available or unresponsive) of peer devices. Passive (default)—The firewall passively responds to LACP status queries from peer devices.
    Transmission Rate Select the rate at which the firewall exchanges queries and responses with peer devices: Fast —Every second Slow —Every 30 seconds (this is the default setting)
    Fast Failover Select this option if, when an interface goes down, you want the firewall to fail over to an operational interface within one second. Otherwise, failover occurs at the standard IEEE 802.1AX-defined speed (at least three seconds).
    System Priority Aggregate Ethernet Interface > LACP (cont) The number that determines whether the firewall or its peer overrides the other with respect to port priorities (see the Max Ports field description below). Note that the lower the number, the higher the priority (range is 1-65,535; default is 32,768).
    Max Ports The number of interfaces (1-8) that can be active at any given time in an LACP aggregate group. The value cannot exceed the number of interfaces you assign to the group. If the number of assigned interfaces exceeds the number of active interfaces, the firewall uses the LACP port priorities of the interfaces to determine which are in standby mode. You set the LACP port priorities when configuring individual interfaces for the group (see Aggregate Ethernet (AE) Interface).
    Enable in HA Passive State For firewalls deployed in a high availability (HA) active/passive configuration, select this option to allow the passive firewall to pre-negotiate LACP with its active peer before a failover occurs. Pre-negotiation speeds up failover because the passive firewall does not have to negotiate LACP before becoming active.
    Same System MAC Address for Active-Passive HA This option applies only to firewalls deployed in a high availability (HA) active/passive configuration ; firewalls in an active/active configuration require unique MAC addresses. HA firewall peers have the same system priority value. However, in an active/passive deployment, the system ID for each can be the same or different, depending on whether you assign the same MAC address. When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), using the same system MAC address for the firewalls minimizes latency during failover. When the LACP peers are not virtualized, using the unique MAC address of each firewall minimizes failover latency. LACP uses the MAC address to derive a system ID for each LACP peer. If the firewall pair and peer pair have identical system priority values, LACP uses the system ID values to determine which overrides the other with respect to port priorities. If both firewalls have the same MAC address, both will have the same system ID, which will be higher or lower than the system ID of the LACP peers. If the HA firewalls have unique MAC addresses, it is possible for one to have a higher system ID than the LACP peers while the other has a lower system ID. In the latter case, when failover occurs on the firewalls, port prioritization switches between the LACP peers and the firewall that becomes active.
    MAC Address If you enabled Use Same System MAC Address, select a system-generated MAC address, or enter your own, for both firewalls in the active/passive high availability (HA) pair. You must verify the address is globally unique.
    Aggregate Ethernet (AE) Interface
    Network > Interfaces > Ethernet
    To configure an Aggregate Ethernet (AE) Interface, first configure an Aggregate Ethernet (AE) Interface Group and click the name of the interface you will assign to that group. The interface you select must be the same type as that defined for the AE interface group (for example, Layer3); you will change the type to Aggregate Ethernet when you configure the interface. Specify the following information for the interface.
    		 If you enabled Link Aggregation Control Protocol (LACP) for the AE interface group, select the same Link Speed and Link Duplex for every interface in that group as a best practice. For non-matching values, the commit operation displays a warning and PAN-OS defaults to the higher speed and full duplex.
    Aggregate Ethernet Interface Setting Description
    Interface Name The interface name is predefined and you cannot change it.
    Comment Enter an optional description for the interface.
    Interface Type Select Aggregate Ethernet.
    Aggregate Group Assign the interface to an aggregate group.
    Link Speed Select the interface speed in Mbps ( 10, 100, or 1000), or select auto to have the firewall automatically determine the speed.
    Link Duplex Select whether the interface transmission mode is full-duplex ( full), half-duplex ( half), or negotiated automatically ( auto).
    Link State Select whether the interface status is enabled ( up), disabled ( down), or determined automatically ( auto).
    LACP Port Priority The firewall only uses this field if you enabled Link Aggregation Control Protocol (LACP) for the aggregate group. If the number of interfaces you assign to the group exceeds the number of active interfaces (the Max Ports field), the firewall uses the LACP port priorities of the interfaces to determine which are in standby mode. The lower the numeric value, the higher the priority (range is 1-65535; default is 32768).
    HA Interface
    Network > Interfaces > Ethernet
    Each high availability (HA) interface has a specific function. One HA interface is for configuration synchronization and heartbeats; the other HA interface is for state synchronization. If active/active high availability is enabled, the firewall can also use a third HA interface to forward packets.
    		 Some Palo Alto Networks firewalls include dedicated physical ports for use in HA deployments (one for the control link and one for the data link). For firewalls that do not include dedicated ports, you must specify the data ports that will be used for HA ( Device > Virtual Systems).
    To configure an HA interface, click the name of an Interface (ethernet1/1, for example) that is not configured and specify the following information.
    HA Interface Setting Description
    Interface Name The interface name is predefined and you cannot change it.
    Comment Enter an optional description for the interface.
    Interface Type Select HA.
    Link Speed Select the interface speed in Mbps ( 10, 100, or 1000), or select auto to have the firewall automatically determine the speed.
    Link Duplex Select whether the interface transmission mode is full-duplex ( full), half-duplex ( half), or negotiated automatically ( auto).
    Link State Select whether the interface status is enabled ( up), disabled ( down), or determined automatically ( auto).
    Previous
    Next

    Related Documentation

    Virtual Wire Deployments

    Virtual Wire Deployments In a virtual wire deployment, you install a firewall transparently on a network segment by binding two firewall ports (interfaces) together. The ...

    LACP and LLDP Pre-Negotiation on an HA Passive Firewall

    LACP and LLDP Pre-Negotiation on an HA Passive Firewall Firewalls in a high availability (HA) active/passive configuration must be able to fail over quickly. If ...

    Customize Service Routes for a Virtual System

    Customize Service Routes for a Virtual System Customize Service Routes to Services for Virtual Systems Configure a PA-7000 Series Firewall for Logging Per Virtual System ...

    Network > Interfaces > VLAN

    Network > Interfaces > VLAN A VLAN interface can provide routing into a Layer 3 network (IPv4 and IPv6). You can add one or more ...

    Network > Interfaces > Tunnel

    Network > Interfaces > Tunnel The following table describes tunnel interface settings. Tunnel Interface Setting Configure In Description Interface Name Tunnel Interface The read-only Interface ...

    Network > Interfaces > Loopback

    Network > Interfaces > Loopback The following table describes loopback interface settings. Loopback Interface Setting Configure In Description Interface Name Loopback Interface The read-only Interface ...

    Use Interface Management Profiles to Restrict Access

    Use Interface Management Profiles to Restrict Access An Interface Management profile protects the firewall from unauthorized access by defining the protocols, services, and IP addresses ...

    Configure Interfaces and Zones

    Configure Interfaces and Zones After you identify how you want to segment your network and the zones you will need to create to achieve the ...

    Configure an Interface as a DHCP Client

    Configure an Interface as a DHCP Client Before configuring a firewall interface as a DHCP Client , make sure you have configured a Layer 3 ...

    Configure an Aggregate Interface Group

    Configure an Aggregate Interface Group An aggregate interface group uses IEEE 802.1AX link aggregation to combine multiple Ethernet interfaces into a single virtual interface that ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo