Configure Layer 3 Interfaces

The following procedure is required to configure Layer 3 Interfaces (Ethernet, VLAN, loopback, and tunnel interfaces) with IPv4 or IPv6 addresses so that the firewall can perform routing on these interfaces. If a tunnel is used for routing or if tunnel monitoring is turned on, the tunnel needs an IP address. Before performing the following task, define one or more Virtual Routers.
You would typically use the following procedure to configure an external interface that connects to the internet and an interface for your internal network. You can configure both IPv4 and IPv6 addresses on a single interface.
PAN-OS firewall models support a maximum of 16,000 IP addresses assigned to physical or virtual Layer 3 interfaces; this maximum includes both IPv4 and IPv6 addresses.
If you’re using IPv6 routes, you can configure the firewall to provide IPv6 Router Advertisements for DNS Configuration. The firewall provisions IPv6 DNS clients with Recursive DNS Server (RDNS) addresses and a DNS Search List so that the client can resolve its IPv6 DNS requests. Thus the firewall is acting like a DHCPv6 server for you.
  1. Select an interface and configure it with a security zone.
    1. Select NetworkInterfaces and either Ethernet, VLAN, loopback, or Tunnel, depending on what type of interface you want.
    2. Select the interface to configure.
    3. Select the Interface TypeLayer3.
    4. On the Config tab, for Virtual Router, select the virtual router you are configuring, such as default.
    5. For Virtual System, select the virtual system you are configuring if on a multi-virtual system firewall.
    6. For Security Zone, select the zone to which the interface belongs or create a New Zone.
    7. Click OK.
  2. Configure an interface with an IPv4 address.
    There are three ways to assign an IPv4 address to a Layer 3 interface:
    • Static
    • DHCP Client—The firewall interface acts as a DHCP client and receives a dynamically assigned IP address. The firewall also provides the capability to propagate settings received by the DHCP client interface into a DHCP server operating on the firewall. This is most commonly used to propagate DNS server settings from an Internet service provider to client machines operating on the network protected by the firewall.
    • PPPoE—Configure the interface as a Point-to-Point Protocol over Ethernet (PPPoE) termination point to support connectivity in a Digital Subscriber Line (DSL) environment where there is a DSL modem but no other PPPoE device to terminate the connection.
    1. Select NetworkInterfaces and either Ethernet, VLAN, loopback, or Tunnel, depending on what type of interface you want.
    2. Select the interface to configure.
    3. To configure the interface with a static IPv4 address, on the IPv4 tab, set Type to Static.
    4. Add a Name and optional Description for the address.
    5. For Type, select one of the following:
      • IP Netmask—Enter the IP address and network mask to assign to the interface, for example, 208.80.56.100/24.
        If you’re using a /31 subnet mask for the Layer 3 interface address, the interface must be configured with the .1/31 address in order for utilities such as ping to work properly.
      • IP Range—Enter an IP address range, such as 192.168.2.1-192.168.2.4.
      • FQDN—Enter a Fully Qualified Domain Name.
    6. Select Tags to apply to the address.
    7. Click OK.
  3. Configure an interface with Point-to-Point Protocol over Ethernet (PPPoE). See Layer 3 Interfaces.
    PPPoE is not supported in HA active/active mode.
    1. Select NetworkInterfaces and either Ethernet, VLAN, loopback, or Tunnel.
    2. Select the interface to configure.
    3. On the IPv4 tab, set Type to PPPoE.
    4. On the General tab, select Enable to activate the interface for PPPoE termination.
    5. Enter the Username for the point-to-point connection.
    6. Enter the Password for the username and Confirm Password.
    7. Click OK.
  4. Configure an interface as a DHCP Client so that it receives a dynamically-assigned IPv4 address.
    DHCP client is not supported in HA active/active mode.
    1. Select NetworkInterfaces and either Ethernet, VLAN, loopback, or Tunnel.
    2. Select the interface to configure.
    3. On the IPv4 tab, set Type to DHCP Client.
    4. Select Enable to activate the DHCP client on the interface.
    5. Select Automatically create default route pointing to default gateway provided by server to automatically create a default route that points to the default gateway that the DHCP server provides.
    6. (Optional) Enter a Default Route Metric (priority level) for the default route, which the firewall uses for path selection (range is 1-65,535; no default). The lower the value, the higher the priority level.
    7. Click OK.
  5. Configure an interface with a static IPv6 address.
    1. Select NetworkInterfaces and either Ethernet, VLAN, loopback, or Tunnel.
    2. Select the interface to configure.
    3. On the IPv6 tab, select Enable IPv6 on the interface to enable IPv6 addressing on the interface.
    4. For Interface ID, enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the Use interface ID as host portion option when adding an address, the firewall uses the Interface ID as the host portion of that address.
    5. Add the IPv6 Address or select an address group.
    6. Select Enable address on interface to enable this IPv6 address on the interface.
    7. Select Use interface ID as host portion to use the Interface ID as the host portion of the IPv6 address.
    8. (Optional) Select Anycast to make the IPv6 address (route) an Anycast address (route), which means multiple locations can advertise the same prefix, and IPv6 sends the anycast traffic to the node it considers the nearest, based on routing protocol costs and other factors.
    9. (Ethernet interface only) Select Send Router Advertisement (RA) to enable the firewall to send this address in Router Advertisements, in which case you must also enable the global Enable Router Advertisement option on the interface (next step).
    10. (Ethernet interface only) Enter the Valid Lifetime (sec), in seconds, that the firewall considers the address valid. The Valid Lifetime must equal or exceed the Preferred Lifetime (sec) (default is 2,592,000).
    11. (Ethernet interface only) Enter the Preferred Lifetime (sec) (in seconds) that the valid address is preferred, which means the firewall can use it to send and received traffic. After the Preferred Lifetime expires, the firewall can’t use the address to establish new connections, but any existing connections are valid until the Valid Lifetime expires (default is 604,800).
    12. (Ethernet interface only) Select On-link if systems that have addresses within the prefix are reachable without a router.
    13. (Ethernet interface only) Select Autonomous if systems can independently create an IP address by combining the advertised prefix with an Interface ID.
    14. Click OK.
  6. (Ethernet or VLAN interface using IPv6 address only) Enable the firewall to send IPv6 Router Advertisements (RAs) from an interface, and optionally tune RA parameters.
    Tune RA parameters for either of these reasons: To interoperate with a router/host that uses different values. To achieve fast convergence when multiple gateways are present. For example, set lower Min Interval, Max Interval, and Router Lifetime values so the IPv6 client/host can quickly change the default gateway after the primary gateway fails, and start forwarding to another default gateway in the network.
    1. Select NetworkInterfaces and Ethernet or VLAN.
    2. Select the interface you want to configure.
    3. Select IPv6.
    4. Select Enable IPv6 on the interface.
    5. On the Router Advertisement tab, select Enable Router Advertisement (default is disabled).
    6. (Optional) Set Min Interval (sec), the minimum interval, in seconds, between RAs the firewall sends (range is 3-1,350; default is 200). The firewall sends RAs at random intervals between the minimum and maximum values you set.
    7. (Optional) Set Max Interval (sec), the maximum interval, in seconds, between RAs the firewall sends (range is 4-1,800; default is 600). The firewall sends RAs at random intervals between the minimum and maximum values you set.
    8. (Optional) Set Hop Limit to apply to clients for outgoing packets (range is 1-255; default is 64). Enter 0 for no hop limit.
    9. (Optional) Set Link MTU, the link maximum transmission unit (MTU) to apply to clients (range is 1,280-9,192; default is unspecified). Select unspecified for no link MTU.
    10. (Optional) Set Reachable Time (ms), the reachable time, in milliseconds, that the client will use to assume a neighbor is reachable after receiving a Reachability Confirmation message. Select unspecified for no reachable time value (range is 0-3,600,000; default is unspecified).
    11. (Optional) Set Retrans Time (ms), the retransmission timer that determines how long the client will wait, in milliseconds, before retransmitting Neighbor Solicitation messages. Select unspecified for no retransmission time (range is 0-4,294,967,295; default is unspecified).
    12. (Optional) Set Router Lifetime (sec) to specify how long, in seconds, the client will use the firewall as the default gateway (range is 0-9,000; default is 1,800). Zero specifies that the firewall is not the default gateway. When the lifetime expires, the client removes the firewall entry from its Default Router List and uses another router as the default gateway.
    13. Set Router Preference, which the client uses to select a preferred router if the network segment has multiple IPv6 routers. High, Medium (default), or Low is the priority that the RA advertises indicating the relative priority of firewall virtual router relative to other routers on the segment.
    14. Select Managed Configuration to indicate to the client that addresses are available via DHCPv6.
    15. Select Other Configuration to indicate to the client that other address information (such as DNS-related settings) is available via DHCPv6.
    16. Select Consistency Check to have the firewall verify that RAs sent from other routers are advertising consistent information on the link. The firewall logs any inconsistencies.
    17. Click OK.
  7. (Ethernet or VLAN interface using IPv6 address only) Specify the Recursive DNS Server addresses and DNS Search List the firewall will advertise in ND Router Advertisements from this interface.
    The RDNS servers and DNS Search List are part of the DNS configuration for the DNS client so that the client can resolve IPv6 DNS requests.
    1. Select NetworkInterfaces and Ethernet or VLAN.
    2. Select the interface you are configuring.
    3. Select IPv6DNS Support.
    4. Include DNS information in Router Advertisement to enable the firewall to send IPv6 DNS information.
    5. For DNS Server, Add the IPv6 address of a Recursive DNS Server. Add up to eight Recursive DNS servers. The firewall sends server addresses in an ICMPv6 Router Advertisement in order from top to bottom.
    6. Specify the Lifetime in seconds, which is the maximum length of time the client can use the specific RDNS Server to resolve domain names.
      • The Lifetime range is any value equal to or between the Max Interval (that you configured on the Router Advertisement tab) and two times that Max Interval. For example, if your Max Interval is 600 seconds, the Lifetime range is 600-1,200 seconds.
      • The default Lifetime is 1,200 seconds.
    7. For DNS Suffix, Add a DNS Suffix (domain name of a maximum of 255 bytes). Add up to eight DNS suffixes. The firewall sends suffixes in an ICMPv6 Router Advertisement in order from top to bottom.
    8. Specify the Lifetime in seconds, which is the maximum length of time the client can use the suffix. The Lifetime has the same range and default value as the Server.
    9. Click OK.
  8. (Ethernet or VLAN interface) Specify static ARP entries. Static ARP entries reduce ARP processing.
    1. Select NetworkInterfaces and Ethernet or VLAN.
    2. Select the interface you are configuring.
    3. Select AdvancedARP Entries.
    4. Add an IP Address and its corresponding MAC Address (hardware or media access control address). For a VLAN interface, you must also select the Interface.
      Static ARP entries do not time out. Auto learned ARP entries in the cache time out in 1,800 seconds by default; you can customize the ARP cache timeout; see Configure Session Timeouts.
    5. Click OK.
  9. (Ethernet or VLAN interface) Specify static Neighbor Discovery Protocol (NDP) entries. NDP for IPv6 performs functions similar to those provided by ARP for IPv4.
    1. Select NetworkInterfaces and Ethernet or VLAN.
    2. Select the interface you are configuring.
    3. Select AdvancedND Entries.
    4. Add an IPv6 Address and its corresponding MAC Address.
    5. Click OK.
  10. (Optional) Enable services on the interface.
    1. To enable services on the interface, select NetworkInterfaces and Ethernet or VLAN.
    2. Select the interface you are configuring.
    3. Select AdvancedOther Info.
    4. Expand the Management Profile drop-down, and select a profile or New Management Profile.
    5. Enter a Name for the profile.
    6. For Permitted Services, select services, such as Ping, and click OK.
  11. Commit your changes.
  12. Cable the interface.
    Attach straight through cables from interfaces you configured to the corresponding switch or router on each network segment.
  13. Verify that the interface is active.
    From the web interface, select NetworkInterfaces and verify that icon in the Link State column is green. You can also monitor link state from the Interfaces widget on the Dashboard.
  14. Configure static routes and/or a dynamic routing protocol (RIP, OSPF, or BGP) so that the virtual router can route traffic.
  15. Configure a default route.
    Configure a Static Route and set it as the default.

Related Documentation