Layer 3 Interface Setting |
Configured In |
Description |
Interface Name
|
Ethernet Interface
|
The interface name is predefined and you cannot change it.
|
Comment
|
Enter an optional description for the interface.
|
Interface Type
|
Select
Layer3.
|
Netflow Profile
|
If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click
Netflow Profile
to define a new profile (see
Device > Server Profiles > NetFlow). Select
None
to remove the current NetFlow server assignment from the interface.
The PA-4000 Series and PA-7000 Series firewalls don’t support this feature.
|
Virtual Router
|
Ethernet Interface > Config
|
Select a virtual router, or click
Virtual Router
to define a new one (see
Network > Virtual Routers). Select
None
to remove the current virtual router assignment from the interface.
|
Virtual System
|
If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system (vsys) for the interface or click
Virtual System
to define a new vsys.
|
Security Zone
|
Select a security zone for the interface or click
Zone
to define a new zone. Select
None
to remove the current zone assignment from the interface.
|
Link Speed
|
Ethernet Interface > Advanced
|
Select the interface speed in Mbps (
10,
100, or
1000) or select
auto.
|
Link Duplex
|
Select whether the interface transmission mode is full-duplex (
full), half-duplex (
half), or negotiated automatically (
auto).
|
Link State
|
Select whether the interface status is enabled (
up), disabled (
down), or determined automatically (
auto).
|
Management Profile
|
Ethernet Interface > Advanced > Other Info
|
Select a profile that defines the protocols (for example, SSH, Telnet, and HTTP) you can use to manage the firewall over this interface. Select
None
to remove the current profile assignment from the interface.
|
MTU
|
Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (576-9,192; default is 1,500). If machines on either side of the firewall perform Path MTU Discovery (PMTUD) and the interface receives a packet exceeding the MTU, the firewall returns an
ICMP fragmentation needed
message to the source indicating the packet is too large.
|
Adjust TCP MSS
|
Select this option to adjust the maximum segment size (MSS) to accommodate bytes for any headers within the interface MTU byte size. The MTU byte size minus the MSS Adjustment Size equals the MSS byte size, which varies by IP protocol:
IPv4 MSS Adjustment Size
—Range is 40-300; default is 40.
IPv6 MSS Adjustment Size
—Range is 60-300; default is 60.
Use these settings to address the case where a
tunnel
through the network requires a smaller MSS. If a packet has more bytes than the MSS without fragmentation, this setting enables the adjustment.
Encapsulation adds length to headers so it is helpful to configure the MSS adjustment size to allow bytes for such things as an MPLS header or tunneled traffic that has a VLAN tag.
|
Untagged Subinterface
|
Specifies that all subinterfaces belonging to this Layer 3 interface are untagged. PAN-OS® selects an untagged subinterface as the ingress interface based on the packet destination. If the destination is the IP address of an untagged subinterface, it maps to the subinterface. This also means that packets in the reverse direction must have their source address translated to the IP address of the untagged subinterface. A byproduct of this classification mechanism is that all multicast and broadcast packets are assigned to the base interface, not any subinterfaces. Because Open Shortest Path First (OSPF) uses multicast, the firewall does not support it on untagged subinterfaces.
|
IP Address
MAC Address
|
Ethernet Interface > Advanced > ARP Entries
|
To add one or more static Address Resolution Protocol (ARP) entries, click
Add
and enter an IP address and its associated hardware (MAC) address. To delete an entry, select the entry and click
Delete. Static ARP entries reduce ARP processing and preclude man-in-the-middle attacks for the specified addresses.
|
IPv6 Address
MAC Address
|
Ethernet Interface > Advanced > ND Entries
|
To provide neighbor information for Neighbor Discovery Protocol (NDP), click
Add
and enter the IP address and MAC address of the neighbor.
|
Enable NDP Proxy
|
Ethernet Interface > Advanced > NDP Proxy
|
Select this option to enable the Neighbor Discovery Protocol (NDP) proxy for the interface. The firewall will respond to ND packets requesting MAC addresses for IPv6 addresses in this list. In the ND response, the firewall sends its own MAC address for the interface to indicate it will act as proxy by responding to packets destined for those addresses.
It is recommended that you select
Enable NDP Proxy
if you use Network Prefix Translation IPv6 (NPTv6).
If
Enable NDP Proxy
is selected, you can filter numerous Address entries by entering a search string and clicking Apply Filter (
).
|
Address
|
Click
Add
to enter one or more IPv6 addresses, IP ranges, IPv6 subnets, or address objects for which the firewall will act as the NDP proxy. Ideally, one of these addresses is the same address as that of the source translation in NPTv6. The order of addresses does not matter.
If the address is a subnetwork, the firewall will send an ND response for all addresses in the subnet, so we recommend that you also add the IPv6 neighbors of the firewall and then select
Negate
to instruct the firewall not to respond to these IP addresses.
|
Negate
|
Select
Negate
for an address to prevent NDP proxy for that address. You can negate a subset of the specified IP address range or IP subnet.
|
Enable LLDP
|
Ethernet Interface > Advanced > LLDP
|
Select to enable Link Layer Discovery Protocol (LLDP) on the interface. LLDP functions at the link layer to discover neighboring devices and their capabilities.
|
LLDP Profile
|
If LLDP is enabled, select an LLDP profile to assign to the interface or click
LLDP Profile
to create a new profile (see
Network > Network Profiles > LLDP Profile). Select
None
to configure the firewall to use global defaults.
|
Enable in HA Passive State
|
If LLDP is enabled, select this option to allow the firewall as an HA passive firewall to pre-negotiate LLDP with its peer before the firewall becomes active.
|
For an IPv4 address
|
Type
|
Ethernet Interface > IPv4
|
Select the method for assigning an IPv4 address type to the interface:
Static
—You must manually specify the IP address.
PPPoE
—The firewall will use the interface for Point-to-Point Protocol over Ethernet (PPPoE).
DHCP Client
—Enables the interface to act as a Dynamic Host Configuration Protocol (DHCP) client and receive a dynamically assigned IP address.
Firewalls that are in active/active high availability (HA) mode do not support PPPoE or DHCP Client.
Based on your IP address method selection, the options displayed in the tab will vary.
|
IPv4 address
Type
=
Static
|
IP
|
Ethernet Interface > IPv4
|
Click
Add, then perform one of the following steps to specify a static IP address and network mask for the interface.
Type the entry in Classless Inter-domain Routing (CIDR) notation using the format ip_address/mask.
IPv4 example: 192.168.2.0/24
IPv6 example: 2001:db8::/32
Select an existing address object of type
IP netmask.
Click
Address
to create an address object of type
IP netmask.
You can enter multiple IP addresses for the interface. The forwarding information base (FIB) your firewall uses determines the maximum number of IP addresses.
To delete an IP address, select the address and click
Delete.
|
IPv4 address
Type
=
PPPoE
|
Enable
|
Ethernet Interface > IPv4 > PPPoE > General
|
Select this option to activate the interface for PPPoE termination.
|
Username
|
Enter the user name for the point-to-point connection.
|
Password/Confirm Password
|
Enter and then confirm the password for the user name.
|
Show PPPoE Client Runtime Info
|
(Optional) Opens a dialog that displays parameters that the firewall negotiated with the Internet service provider (ISP) to establish a connection. The specific information depends on the ISP.
|
Authentication
|
Ethernet Interface > IPv4 > PPPoE > Advanced
|
Select the authentication protocol for PPPoE communications—
CHAP
(Challenge-Handshake Authentication Protocol),
PAP
(Password Authentication Protocol), or the default
Auto
(the firewall determines the protocol). Select
None
to remove the current protocol assignment from the interface.
|
Static Address
|
Perform one of the following steps to specify the IP address that the Internet service provider assigned (no default value):
Type the entry in Classless Inter-domain Routing (CIDR) notation using the format ip_address/mask.
IPv4 example: 192.168.2.0/24
IPv6 example: 2001:db8::/32
Select an existing address object of type
IP netmask.
Click
Address
to create an address object of type
IP netmask.
Select
None
to remove the current address assignment from the interface.
|
Automatically create default route pointing to peer
|
Select this option to automatically create a default route that points to the PPPoE peer when connected.
|
Default Route Metric
|
(Optional) For the route between the firewall and Internet service provider, enter a route metric (priority level) to associate with the default route and to use for path selection (range is 1-65,535). The priority level increases as the numeric value decreases.
|
Access Concentrator
|
(Optional) Enter the name of the access concentrator on the Internet service provider end to which the firewall connects (no default).
|
Service
|
(Optional) Enter the service string (no default).
|
Passive
|
Select this option to use passive mode. In passive mode, a PPPoE end point waits for the access concentrator to send the first frame.
|
IPv4 address
Type
=
DHCP
|
Enable
|
Ethernet Interface > IPv4
|
Activate the DHCP client on the interface.
|
Automatically create default route pointing to default gateway provided by server
|
Automatically create a default route that points to the default gateway that the DHCP server provides.
|
Default Route Metric
|
For the route between the firewall and DHCP server, optionally enter a route metric (priority level) to associate with the default route and to use for path selection (range is 1-65,535, no default). The priority level increases as the numeric value decreases.
|
Show DHCP Client Runtime Info
|
Display all settings received from the DHCP server, including DHCP lease status, dynamic IP address assignment, subnet mask, gateway, and server settings (DNS, NTP, domain, WINS, NIS, POP3, and SMTP).
|
For an IPv6 address
|
Enable IPv6 on the interface
|
Ethernet Interface > IPv6
|
Enable IPv6 addressing on this interface.
|
Interface ID
|
Enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the
Use interface ID as host portion
option when adding an address, the firewall uses the interface ID as the host portion of that address.
|
Address
|
Add
one or more IPv6 address and configure the following settings:
Address
—Enter an IPv6 address and prefix length (such as 2001:400:f00::1/64). You can also select an existing IPv6 address object or click
Address
to create an address object.
Enable address on interface
—Select to enable the IPv6 address on the interface.
Use interface ID as host portion
—Select to use the
Interface ID
as the host portion of the IPv6 address.
Anycast
—Select to include routing through the nearest node.
Send Router Advertisement
—Select this option to enable router advertisement (RA) for this IP address. (You must also enable the global
Enable Router Advertisement
option on the interface.) For details on RA, see
Enable Router Advertisement
in this table.The remaining fields only apply if you enable RA.
Valid Lifetime
—The length of time (in seconds) that the firewall considers the address as valid. The valid lifetime must equal or exceed the
Preferred Lifetime. The default is 2,592,000.
Preferred Lifetime
—The length of time (in seconds) that the valid address is preferred, which means the firewall can use it to send and receive traffic. After the preferred lifetime expires, the firewall cannot use the address to establish new connections but any existing connections are valid until the
Valid Lifetime
expires. The default is 604,800.
On-link
—Select this option if systems that have addresses within the prefix are reachable without a router.
Autonomous
—Select if systems can independently create an IP address by combining the advertised prefix with an interface ID.
|
Enable Duplication Address Detection
|
Select to enable duplicate address detection (
DAD), then configure the other fields in this section.
|
DAD Attempts
|
Specify the number of DAD attempts within the neighbor solicitation interval (
NS Interval) before the attempt to identify neighbors fails (range is 1-10; default is 1).
|
Reachable Time
|
Specify the length of time (in seconds) that a neighbor remains reachable after a successful query and response (range is 10-36,000; default is 30).
|
NS Interval (neighbor solicitation interval)
|
Specify the number of seconds for DAD attempts before failure is indicated (range is 1-10; default is 1).
|
Enable Router Advertisement
|
Ethernet Interface > IPv6 (cont)
|
To provide stateless address auto-configuration (SLAAC) on IPv6 interfaces, select and configure this option. Clients that receive the router advertisement (RA) messages use this information.
RA enables the firewall to act as a default gateway for IPv6 hosts that are not statically configured and to provide the host with an IPv6 prefix for address configuration. You can use a separate DHCPv6 server in conjunction with this feature to provide DNS and other settings to clients.
This is a global setting for the interface. If you want to set RA options for individual IP addresses,
Add
and configure the address in the IP address table. If you set RA options for any IP address, you must select the
Enable Router Advertisement
option for the interface.
|
Min Interval (sec)
|
Specify the minimum interval (in seconds) between RAs that the firewall will send (range is 3-1,350; default is 200). The firewall will send RAs at random intervals between the minimum and maximum values.
|
Max Interval (sec)
|
Specify the maximum interval (in seconds) between RAs that the firewall will send (range is 4-1,800; default is 600). The firewall will send RAs at random intervals between the minimum and maximum values.
|
Hop Limit
|
Specify the hop limit to apply to clients for outgoing packets (range is 1-255; default is 64). Enter 0 for no hop limit.
|
Link MTU
|
Specify link maximum transmission unit (MTU) to apply to clients. Select
unspecified
for no link MTU (range is 1,280-9,192; default is unspecified).
|
Reachable Time (ms)
|
Specify the reachable time (in milliseconds) that the client will use to assume a neighbor is reachable after receiving a reachability confirmation message. Select
unspecified
for no reachable time value (range is 0-3,600,000; default is unspecified).
|
Retrans Time (ms)
|
Specify the retransmission timer that determines how long the client will wait (in milliseconds) before retransmitting neighbor solicitation messages. Select
unspecified
for no retransmission time (range is 0-4,294,967,295; default is unspecified).
|
Router Lifetime (sec)
|
Specify how long (in seconds) the client will use the firewall as the default gateway (range is 0-9,000; default is 1,800). Zero specifies that the firewall is not the default gateway. When the lifetime expires, the client removes the firewall entry from its Default Router List and uses another router as the default gateway.
|
Router Preference
|
If the network segment has multiple IPv6 routers, the client uses this field to select a preferred router. Select whether the RA advertises the firewall router as having a
High,
Medium
(default), or
Low
priority relative to other routers on the segment.
|
Managed Configuration
|
Indicate to the client that addresses are available via DHCPv6.
|
Other Configuration
|
Select this option to indicate to the client that other address information (for example, DNS-related settings) is available via DHCPv6.
|
Consistency Check
|
Select this option if you want the firewall to verify that RAs sent from other routers are advertising consistent information on the link. The firewall logs any inconsistencies.
|