Layer 3 Subinterface
- Network > Interfaces > Ethernet
For each Ethernet port configured as a physical Layer 3 interface, you can define additional logical Layer 3 interfaces (subinterfaces).
To configure a PA-7000 Series Layer 3 Interface, select the row of that physical Interface, click Add Subinterface, and specify the following information.
Layer 3 Subinterface Settings
The read-only Interface Name field displays the name of the physical interface you selected. In the adjacent field, enter a numeric suffix (1-9,999) to identify the subinterface.
Enter an optional description for the subinterface.
Enter the VLAN tag (1-4,094) for the subinterface.
If you want to export unidirectional IP traffic that traverses an ingress subinterface to a NetFlow server, select the server profile or click Netflow Profile to define a new profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the subinterface.
Assign a virtual router to the interface, or click Virtual Router to define a new one (see Network > Virtual Routers). Select None to remove the current virtual router assignment from the interface.
If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system (vsys) for the subinterface or click Virtual System to define a new vsys.
Select a security zone for the subinterface, or click Zone to define a new zone. Select None to remove the current zone assignment from the subinterface.
Layer3 SubinterfaceAdvancedOther Info
Management Profile—Select a profile that defines the protocols (for example, SSH, Telnet, and HTTP) you can use to manage the firewall over this interface. Select None to remove the current profile assignment from the interface.
Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576-9,192; default is 1,500). If machines on either side of the firewall perform Path MTU Discovery (PMTUD) and the interface receives a packet exceeding the MTU, the firewall returns an ICMP fragmentation needed message to the source indicating the packet is too large.
Adjust TCP MSS
Select to adjust the maximum segment size (MSS) to accommodate bytes for any headers within the interface MTU byte size. The MTU byte size minus the MSS Adjustment Size equals the MSS byte size, which varies by IP protocol:
Use these settings to address the case where a tunnel through the network requires a smaller MSS. If a packet has more bytes than the MSS without fragmentation, this setting enables the adjustment.
Encapsulation adds length to headers so it helps to configure the MSS adjustment size to allow bytes for such things as an MPLS header or tunneled traffic that has a VLAN tag.
Layer3 SubinterfaceAdvancedARP Entries
To add one or more static Address Resolution Protocol (ARP) entries, Add an IP address and its associated hardware [media access control (MAC)] address. To delete an entry, select the entry and click Delete. Static ARP entries reduce ARP processing and preclude man-in-the-middle attacks for the specified addresses.
Layer3 SubinterfaceAdvancedND Entries
To provide neighbor information for Neighbor Discovery Protocol (NDP), Add the IP address and MAC address of the neighbor.
Enable NDP Proxy
Layer3 SubinterfaceAdvancedNDP Proxy
Enable Neighbor Discovery Protocol (NDP) proxy for the interface. The firewall will respond to ND packets requesting MAC addresses for IPv6 addresses in this list. In the ND response, the firewall sends its own MAC address for the interface so that the firewall will receive the packets meant for the addresses in the list.
It is recommended that you enable NDP proxy if you are using Network Prefix Translation IPv6 (NPTv6).
If you selected Enable NDP Proxy, you can filter numerous Address entries by entering a filter and clicking Apply Filter (gray arrow).
Add one or more IPv6 addresses, IP ranges, IPv6 subnets, or address objects for which the firewall will act as NDP proxy. Ideally, one of these addresses is the same address as that of the source translation in NPTv6. The order of addresses does not matter.
If the address is a subnetwork, the firewall will send an ND response for all addresses in the subnet, so we recommend you also add the IPv6 neighbors of the firewall and then click Negate to instruct the firewall not to respond to these IP addresses.
Negate an address to prevent NDP proxy for that address. You can negate a subset of the specified IP address range or IP subnet.
Select the method for assigning an IPv4 address type to the subinterface:
Firewalls that are in active/active high availability (HA) mode don’t support DHCP Client.
Based on your IP address method selection, the options displayed in the tab will vary.
Layer3 SubinterfaceIPv4, Type = Static
Add and perform one of the following steps to specify a static IP address and network mask for the interface.
You can enter multiple IP addresses for the interface. The forwarding information base (FIB) your system uses determines the maximum number of IP addresses.
Delete an IP address when you no longer need it.
Layer3 SubinterfaceIPv4, Type = DHCP
Select to activate the DHCP client on the interface.
Automatically create default route pointing to default gateway provided by server
Select to automatically create a default route that points to the default gateway that the DHCP server provides.
Default Route Metric
(Optional) For the route between the firewall and DHCP server, you can enter a route metric (priority level) to associate with the default route and to use for path selection (range is 1-65535; there is no default). The priority level increases as the numeric value decreases.
Show DHCP Client Runtime Info
Select Show DHCP Client Runtime Info to display all settings received from the DHCP server, including DHCP lease status, dynamic IP address assignment, subnet mask, gateway, and server settings (DNS, NTP, domain, WINS, NIS, POP3, and SMTP).
Enable IPv6 on the interface
Select to enable IPv6 addressing on this interface.
Enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the Use interface ID as host portion option when adding an address, the firewall uses the interface ID as the host portion of that address.
Click Add and configure the following parameters for each IPv6 address:
Enable Duplication Address Detection
Layer3 SubinterfaceIPv6Address Resolution
Select to enable duplicate address detection (DAD), then configure the other fields in this section.
Specify the number of DAD attempts within the neighbor solicitation interval (NS Interval) before the attempt to identify neighbors fails (range is 1-10; default is 1).
Specify the length of time, in seconds, that a neighbor remains reachable after a successful query and response (range is 1-36,000; default is 30).
NS Interval (neighbor solicitation interval)
Specify the number of seconds for DAD attempts before failure is indicated (range is 1-10; default is 1).
Enable NDP Monitoring
Select to enable Neighbor Discovery Protocol (NDP) monitoring. When enabled, you can select NDP ( in Features column) to view information about a neighbor the firewall discovered, such as the IPv6 address, the corresponding MAC address, and the User-ID (on a best-case basis).
Enable Router Advertisement
Layer3 SubinterfaceIPv6Router Advertisement
To provide Neighbor Discovery on IPv6 interfaces, select and configure the other fields in this section. IPv6 DNS clients that receive the router advertisement (RA) messages use this information.
RA enables the firewall to act as a default gateway for IPv6 hosts that are not statically configured and to provide the host with an IPv6 prefix for address configuration. You can use a separate DHCPv6 server in conjunction with this feature to provide DNS and other settings to clients.
This is a global setting for the interface. If you want to set RA options for individual IP addresses, Add and configure an Address in the IP address table. If you set RA options for any IP address, you must Enable Router Advertisement for the interface.
Min Interval (sec)
Specify the minimum interval, in seconds, between RAs that the firewall will send (range is 3-1,350; default is 200). The firewall will send RAs at random intervals between the minimum and maximum values you configure.
Max Interval (sec)
Specify the maximum interval, in seconds, between RAs that the firewall will send (range is 4-1,800; default is 600). The firewall will send RAs at random intervals between the minimum and maximum values you configure.
Specify the hop limit to apply to clients for outgoing packets (range is 1-255; default is 64). Enter 0 for no hop limit.
Specify the link maximum transmission unit (MTU) to apply to clients. Select unspecified for no link MTU (range is 1,280-9,192; default is unspecified).
Reachable Time (ms)
Specify the reachable time (in milliseconds) that the client will use to assume a neighbor is reachable after receiving a reachability confirmation message. Select unspecified for no reachable time value (range is 0-3,600,000; default is unspecified).
Retrans Time (ms)
Specify the retransmission timer that determines how long the client will wait (in milliseconds) before retransmitting neighbor solicitation messages. Select unspecified for no retransmission time (range is 0-4,294,967,295; default is unspecified).
Router Lifetime (sec)
Specify how long, in seconds, the client will use the firewall as the default gateway (range is 0-9,000; default is 1,800). Zero specifies that the firewall is not the default gateway. When the lifetime expires, the client removes the firewall entry from its Default Router List and uses another router as the default gateway.
If the network segment has multiple IPv6 routers, the client uses this field to select a preferred router. Select whether the RA advertises the firewall router as having a High, Medium (default), or Low priority relative to other routers on the segment.
Select to indicate to the client that addresses are available via DHCPv6.
Select to indicate to the client that other address information (for example, DNS-related settings) is available via DHCPv6.
Layer3 SubinterfaceIPv6Router Advertisement (cont)
Select if you want the firewall to verify that RAs sent from other routers are advertising consistent information on the link. The firewall logs any inconsistencies in a system log; the type is ipv6nd.
Include DNS information in Router Advertisement
Layer3 SubinterfaceIPv6DNS Support
Select for the firewall to send DNS information in NDP router advertisements from this IPv6 Ethernet subinterface. The other DNS Support fields in this table are visible only after you select this option.
Add one or more recursive DNS (RDNS) server addresses for the firewall to send in NDP router advertisements from this IPv6 Ethernet interface. RDNS servers send a series of DNS look up requests to root DNS servers and authoritative DNS servers to ultimately provide an IP address to the DNS client.
You can configure a maximum of eight RDNS Servers that the firewall sends—in order listed from top to bottom—in an NDP router advertisement to the recipient, which then uses them in the same order. Select a server and Move Up or Move Down to change the order of the servers or Delete a server from the list when you no longer need it.
Enter the maximum number of seconds after the IPv6 DNS client receives the router advertisement that it can use an RDNS server to resolve domain names (range is the value of Max Interval (sec) to twice the Max Interval; default is 1,200).
Add one or more domain names (suffixes) for the DNS search list (DNSSL). The maximum suffix length is 255 bytes.
A DNS search list is a list of domain suffixes that a DNS client router appends (one at a time) to an unqualified domain name before it enters the name into a DNS query, thereby using a fully qualified domain name in the DNS query. For example, if a DNS client tries to submit a DNS query for the name “quality” without a suffix, the router appends a period and the first DNS suffix from the DNS search list to the name and transmits the DNS query. If the first DNS suffix on the list is “company.com”, the resulting DNS query from the router is for the fully qualified domain name “quality.company.com”.
If the DNS query fails, the router appends the second DNS suffix from the list to the unqualified name and transmits a new DNS query. The router uses the DNS suffixes until a DNS lookup is successful (ignores the remaining suffixes) or until the router has tried all of suffixes on the list.
Configure the firewall with the suffixes that you want to provide to the DNS client router in a Neighbor Discovery DNSSL option; the DNS client receiving the DNSSL option uses the suffixes in its unqualified DNS queries.
You can configure a maximum of eight domain names (suffixes) for a DNS search list option that the firewall sends—in order listed from top to bottom— in an NDP router advertisement to the recipient, which uses them in the same order. Select a suffix and Move Up or Move Down to change the order of the suffixes or Delete a suffix when you no longer need it.
Enter the maximum number of seconds after the IPv6 DNS client receives the router advertisement that it can use a domain name (suffix) on the DNS search list (range is the value of Max Interval (sec) to twice the Max Interval; default is 1,200).
PA-7000 Series Layer 3 Interface
PA-7000 Series Layer 3 Interface Network > Interfaces > Ethernet To configure a Layer 3 interface, click the name of an Interface (ethernet1/1, for example) ...
Network > Interfaces > VLAN
Network > Interfaces > VLAN A VLAN interface can provide routing into a Layer 3 network (IPv4 and IPv6). You can add one or more ...
Aggregate Ethernet (AE) Interface
Aggregate Ethernet (AE) Interface Network > Interfaces > Ethernet To configure an Aggregate Ethernet (AE) Interface , first configure an Aggregate Ethernet (AE) Interface Group ...
Configure RDNS Servers and DNS Search List for IPv6 Router ...
Configure RDNS Servers and DNS Search List for IPv6 Router Advertisements Perform this task to configure IPv6 Router Advertisements for DNS Configuration of IPv6 hosts. ...
Configure Layer 3 Interfaces
Configure Layer 3 Interfaces The following procedure is required to configure Layer 3 Interfaces (Ethernet, VLAN, loopback, and tunnel interfaces) with IPv4 or IPv6 addresses ...
IPv6 Router Advertisement for DNS Configuration
IPv6 Router Advertisement for DNS Configuration Neighbor Discovery Protocol (NDP) functions for IPv6 in a capacity similar to ARP for IPv4. The firewall implementation of ...
Enable NDP Monitoring
Enable NDP Monitoring Perform this task to enable NDP Monitoring for an interface. Enable NDP monitoring. Select Network Interfaces and Ethernet or VLAN . Select ...
IPv6 Router Advertisements for DNS Configuration
IPv6 Router Advertisements for DNS Configuration The firewall implementation of Neighbor Discovery (ND) is enhanced so that you can provision IPv6 hosts with the Recursive ...
NDP Monitoring Neighbor Discovery Protocol (NDP) for IPv6 ( RFC 4861 ) performs functions similar to ARP functions for IPv4. The firewall by default runs ...