Configure Layer 3 Interfaces

The following procedure is required to configure Layer 3 Interfaces (Ethernet, VLAN, loopback, and tunnel interfaces) with IPv4 or IPv6 addresses so that the firewall can perform routing on these interfaces. If a tunnel is used for routing or if tunnel monitoring is turned on, the tunnel needs an IP address. Before performing the following task, define one or more Virtual Routers.
You would typically use the following procedure to configure an external interface that connects to the internet and an interface for your internal network. You can configure both IPv4 and IPv6 addresses on a single interface.
PAN-OS firewall models support a maximum of 16,000 IP addresses assigned to physical or virtual Layer 3 interfaces; this maximum includes both IPv4 and IPv6 addresses.
If you’re using IPv6 routes, you can configure the firewall to provide IPv6 Router Advertisements for DNS Configuration. The firewall provisions IPv6 DNS clients with Recursive DNS Server (RDNS) addresses and a DNS Search List so that the client can resolve its IPv6 DNS requests. Thus the firewall is acting like a DHCPv6 server for you.
  1. Select an interface and configure it with a security zone.
    1. Select
      Network
      Interfaces
      and either
      Ethernet
      ,
      VLAN
      ,
      loopback
      , or
      Tunnel
      , depending on what type of interface you want.
    2. Select the interface to configure.
    3. Select the
      Interface Type
      Layer3
      .
    4. On the
      Config
      tab, for
      Virtual Router
      , select the virtual router you are configuring, such as
      default
      .
    5. For
      Virtual System
      , select the virtual system you are configuring if on a multi-virtual system firewall.
    6. For
      Security Zone
      , select the zone to which the interface belongs or create a
      New Zone
      .
    7. Click
      OK
      .
  2. Configure an interface with an IPv4 address.
    There are three ways to assign an IPv4 address to a Layer 3 interface:
    • Static
    • DHCP Client—The firewall interface acts as a DHCP client and receives a dynamically assigned IP address. The firewall also provides the capability to propagate settings received by the DHCP client interface into a DHCP server operating on the firewall. This is most commonly used to propagate DNS server settings from an Internet service provider to client machines operating on the network protected by the firewall.
    • PPPoE—Configure the interface as a Point-to-Point Protocol over Ethernet (PPPoE) termination point to support connectivity in a Digital Subscriber Line (DSL) environment where there is a DSL modem but no other PPPoE device to terminate the connection.
    1. Select
      Network
      Interfaces
      and either
      Ethernet
      ,
      VLAN
      ,
      loopback
      , or
      Tunnel
      , depending on what type of interface you want.
    2. Select the interface to configure.
    3. To configure the interface with a static IPv4 address, on the
      IPv4
      tab, set
      Type
      to
      Static
      .
    4. Add
      a
      Name
      and optional
      Description
      for the address.
    5. For
      Type
      , select one of the following:
      • IP Netmask
        —Enter the IP address and network mask to assign to the interface, for example, 208.80.56.100/24.
        If you’re using a /31 subnet mask for the Layer 3 interface address, the interface must be configured with the .1/31 address in order for utilities such as ping to work properly.
      • IP Range
        —Enter an IP address range, such as 192.168.2.1-192.168.2.4.
      • FQDN
        —Enter a Fully Qualified Domain Name.
    6. Select
      Tags
      to apply to the address.
    7. Click
      OK
      .
  3. Configure an interface with Point-to-Point Protocol over Ethernet (PPPoE). See Layer 3 Interfaces.
    PPPoE is not supported in HA active/active mode.
    1. Select
      Network
      Interfaces
      and either
      Ethernet
      ,
      VLAN
      ,
      loopback
      , or
      Tunnel
      .
    2. Select the interface to configure.
    3. On the
      IPv4
      tab, set
      Type
      to
      PPPoE
      .
    4. On the
      General
      tab, select
      Enable
      to activate the interface for PPPoE termination.
    5. Enter the
      Username
      for the point-to-point connection.
    6. Enter the
      Password
      for the username and
      Confirm Password
      .
    7. Click
      OK
      .
  4. Configure an interface as a DHCP Client so that it receives a dynamically-assigned IPv4 address.
    DHCP client is not supported in HA active/active mode.
    1. Select
      Network
      Interfaces
      and either
      Ethernet
      ,
      VLAN
      ,
      loopback
      , or
      Tunnel
      .
    2. Select the interface to configure.
    3. On the
      IPv4
      tab, set
      Type
      to
      DHCP Client
      .
    4. Select
      Enable
      to activate the DHCP client on the interface.
    5. Select
      Automatically create default route pointing to default gateway provided by server
      to automatically create a default route that points to the default gateway that the DHCP server provides.
    6. (
      Optional
      ) Enter a
      Default Route Metric
      (priority level) for the default route, which the firewall uses for path selection (range is 1-65,535; no default). The lower the value, the higher the priority level.
    7. Click
      OK
      .
  5. Configure an interface with a static IPv6 address.
    1. Select
      Network
      Interfaces
      and either
      Ethernet
      ,
      VLAN
      ,
      loopback
      , or
      Tunnel
      .
    2. Select the interface to configure.
    3. On the
      IPv6
      tab, select
      Enable IPv6 on the interface
      to enable IPv6 addressing on the interface.
    4. For
      Interface ID
      , enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the
      Use interface ID as host portion
      option when adding an address, the firewall uses the Interface ID as the host portion of that address.
    5. Add
      the IPv6
      Address
      or select an address group.
    6. Select
      Enable address on interface
      to enable this IPv6 address on the interface.
    7. Select
      Use interface ID as host portion
      to use the Interface ID as the host portion of the IPv6 address.
    8. (
      Optional
      ) Select
      Anycast
      to make the IPv6 address (route) an Anycast address (route), which means multiple locations can advertise the same prefix, and IPv6 sends the anycast traffic to the node it considers the nearest, based on routing protocol costs and other factors.
    9. (
      Ethernet interface only
      ) Select
      Send Router Advertisement
      (RA) to enable the firewall to send this address in Router Advertisements, in which case you must also enable the global
      Enable Router Advertisement
      option on the interface (next step).
    10. (
      Ethernet interface only
      ) Enter the
      Valid Lifetime (sec)
      , in seconds, that the firewall considers the address valid. The Valid Lifetime must equal or exceed the
      Preferred Lifetime (sec)
      (default is 2,592,000).
    11. (
      Ethernet interface only
      ) Enter the
      Preferred Lifetime (sec)
      (in seconds) that the valid address is preferred, which means the firewall can use it to send and received traffic. After the Preferred Lifetime expires, the firewall can’t use the address to establish new connections, but any existing connections are valid until the
      Valid Lifetime
      expires (default is 604,800).
    12. (
      Ethernet interface only
      ) Select
      On-link
      if systems that have addresses within the prefix are reachable without a router.
    13. (
      Ethernet interface only
      ) Select
      Autonomous
      if systems can independently create an IP address by combining the advertised prefix with an Interface ID.
    14. Click
      OK
      .
  6. (
    Ethernet or VLAN interface using IPv6 address only
    ) Enable the firewall to send IPv6 Router Advertisements (RAs) from an interface, and optionally tune RA parameters.
    Tune RA parameters for either of these reasons: To interoperate with a router/host that uses different values. To achieve fast convergence when multiple gateways are present. For example, set lower
    Min Interval
    ,
    Max Interval
    , and
    Router Lifetime
    values so the IPv6 client/host can quickly change the default gateway after the primary gateway fails, and start forwarding to another default gateway in the network.
    1. Select
      Network
      Interfaces
      and
      Ethernet
      or
      VLAN
      .
    2. Select the interface you want to configure.
    3. Select
      IPv6
      .
    4. Select
      Enable IPv6 on the interface
      .
    5. On the
      Router Advertisement
      tab, select
      Enable Router Advertisement
      (default is disabled).
    6. (
      Optional
      ) Set
      Min Interval (sec)
      , the minimum interval, in seconds, between RAs the firewall sends (range is 3-1,350; default is 200). The firewall sends RAs at random intervals between the minimum and maximum values you set.
    7. (
      Optional
      ) Set
      Max Interval (sec)
      , the maximum interval, in seconds, between RAs the firewall sends (range is 4-1,800; default is 600). The firewall sends RAs at random intervals between the minimum and maximum values you set.
    8. (
      Optional
      ) Set
      Hop Limit
      to apply to clients for outgoing packets (range is 1-255; default is 64). Enter 0 for no hop limit.
    9. (
      Optional
      ) Set
      Link MTU
      , the link maximum transmission unit (MTU) to apply to clients (range is 1,280-9,192; default is
      unspecified
      ). Select
      unspecified
      for no link MTU.
    10. (
      Optional
      ) Set
      Reachable Time (ms)
      , the reachable time, in milliseconds, that the client will use to assume a neighbor is reachable after receiving a Reachability Confirmation message. Select
      unspecified
      for no reachable time value (range is 0-3,600,000; default is
      unspecified
      ).
    11. (
      Optional
      ) Set
      Retrans Time (ms)
      , the retransmission timer that determines how long the client will wait, in milliseconds, before retransmitting Neighbor Solicitation messages. Select
      unspecified
      for no retransmission time (range is 0-4,294,967,295; default is
      unspecified
      ).
    12. (
      Optional
      ) Set
      Router Lifetime (sec)
      to specify how long, in seconds, the client will use the firewall as the default gateway (range is 0-9,000; default is 1,800). Zero specifies that the firewall is not the default gateway. When the lifetime expires, the client removes the firewall entry from its Default Router List and uses another router as the default gateway.
    13. Set
      Router Preference
      , which the client uses to select a preferred router if the network segment has multiple IPv6 routers.
      High
      ,
      Medium
      (default), or
      Low
      is the priority that the RA advertises indicating the relative priority of firewall virtual router relative to other routers on the segment.
    14. Select
      Managed Configuration
      to indicate to the client that addresses are available via DHCPv6.
    15. Select
      Other Configuration
      to indicate to the client that other address information (such as DNS-related settings) is available via DHCPv6.
    16. Select
      Consistency Check
      to have the firewall verify that RAs sent from other routers are advertising consistent information on the link. The firewall logs any inconsistencies.
    17. Click
      OK
      .
  7. (
    Ethernet or VLAN interface using IPv6 address only
    ) Specify the Recursive DNS Server addresses and DNS Search List the firewall will advertise in ND Router Advertisements from this interface.
    The RDNS servers and DNS Search List are part of the DNS configuration for the DNS client so that the client can resolve IPv6 DNS requests.
    1. Select
      Network
      Interfaces
      and
      Ethernet
      or
      VLAN
      .
    2. Select the interface you are configuring.
    3. Select
      IPv6
      DNS Support
      .
    4. Include DNS information in Router Advertisement
      to enable the firewall to send IPv6 DNS information.
    5. For DNS
      Server
      ,
      Add
      the IPv6 address of a Recursive DNS Server.
      Add
      up to eight Recursive DNS servers. The firewall sends server addresses in an ICMPv6 Router Advertisement in order from top to bottom.
    6. Specify the
      Lifetime
      in seconds, which is the maximum length of time the client can use the specific RDNS Server to resolve domain names.
      • The
        Lifetime
        range is any value equal to or between the
        Max Interval
        (that you configured on the
        Router Advertisement
        tab) and two times that
        Max Interval
        . For example, if your Max Interval is 600 seconds, the Lifetime range is 600-1,200 seconds.
      • The default
        Lifetime
        is 1,200 seconds.
    7. For DNS Suffix,
      Add
      a
      DNS Suffix
      (domain name of a maximum of 255 bytes).
      Add
      up to eight DNS suffixes. The firewall sends suffixes in an ICMPv6 Router Advertisement in order from top to bottom.
    8. Specify the
      Lifetime
      in seconds, which is the maximum length of time the client can use the suffix. The Lifetime has the same range and default value as the
      Server
      .
    9. Click
      OK
      .
  8. (
    Ethernet or VLAN interface
    ) Specify static ARP entries. Static ARP entries reduce ARP processing.
    1. Select
      Network
      Interfaces
      and
      Ethernet
      or
      VLAN
      .
    2. Select the interface you are configuring.
    3. Select
      Advanced
      ARP Entries
      .
    4. Add
      an
      IP Address
      and its corresponding
      MAC Address
      (hardware or media access control address). For a VLAN interface, you must also select the
      Interface
      .
      Static ARP entries do not time out. Auto learned ARP entries in the cache time out in 1,800 seconds by default; you can customize the ARP cache timeout; see Configure Session Timeouts.
    5. Click
      OK
      .
  9. (
    Ethernet or VLAN interface
    ) Specify static Neighbor Discovery Protocol (NDP) entries. NDP for IPv6 performs functions similar to those provided by ARP for IPv4.
    1. Select
      Network
      Interfaces
      and
      Ethernet
      or
      VLAN
      .
    2. Select the interface you are configuring.
    3. Select
      Advanced
      ND Entries
      .
    4. Add
      an
      IPv6 Address
      and its corresponding
      MAC Address
      .
    5. Click
      OK
      .
  10. (
    Optional
    ) Enable services on the interface.
    1. To enable services on the interface, select
      Network
      Interfaces
      and
      Ethernet
      or
      VLAN
      .
    2. Select the interface you are configuring.
    3. Select
      Advanced
      Other Info
      .
    4. Expand the
      Management Profile
      drop-down, and select a profile or
      New Management Profile
      .
    5. Enter a
      Name
      for the profile.
    6. For
      Permitted Services
      , select services, such as
      Ping
      , and click
      OK
      .
  11. Commit
    your changes.
  12. Cable the interface.
    Attach straight through cables from interfaces you configured to the corresponding switch or router on each network segment.
  13. Verify that the interface is active.
    From the web interface, select
    Network
    Interfaces
    and verify that icon in the Link State column is green. You can also monitor link state from the
    Interfaces
    widget on the
    Dashboard
    .
  14. Configure static routes and/or a dynamic routing protocol (RIP, OSPF, or BGP) so that the virtual router can route traffic.
  15. Configure a default route.
    Configure a Static Route and set it as the default.

Related Documentation