>
    Configure a Bypass Pair
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Administrator’s Guide
    4. Prisma SD-WAN Sites and Devices
    5. Prisma SD-WAN Ports and Interfaces
    6. Bypass Pair
    7. Configure a Bypass Pair
    Download PDF
    Prisma SD-WAN

    Configure a Bypass Pair

    Table of Contents

    Configure a Bypass Pair

    A Bypass Pair is a pair of ports where one port is connected to a LAN network while the second port is connected to a WAN network in Prisma SD-WAN.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Prisma SD-WAN license
    1. Select WorkflowsDevicesClaimed Devices, select the device you want to configure.
    2. On the device's interface configuration page, select the Interfaces+ Add Interface to add any interface.
    3. In the General section,
      1. Enter a Name and (Optional) Description, and add Tags for the port channel interface.
      2. For Admin Up, select Up or Down. Make them Admin Up by selecting Up individually before creating a bypass pair.
        When you create a bypass pair, both the ports need to admin up. When you bring down the bypass pair, both ports will not be set to down; you must bring down the ports individually. After that, you have to bring up the ports individually too. For security reasons, bringing up the individual port of the bypass pair is necessary. If you do so, the respective ports of the bypass pair will remain down and may impact the software upgrade process.
    4. In the Network Setting section,
      1. Select Bypass Pair as the Interface Type.
      2. For Use These Ports For, select either Internet, or Private WAN, LAN, or Private L2.
        The LAN option is used for configuring the branch ION device in a cluster for high availability.
      3. Choose DHCP for the IPv4 Configuration field.
        If DHCP Relay functions are required, change Add DHCP Relay from No to Yes.
        If Configuration selected is Static, enter an IP address and mask for the interface. Enter a Default Gateway for the interface. Wherever applicable, enter DNS servers. Up to three DNS servers may be configured.
        Configuration will not be applicable for Private Layer 2.
      4. Select Enable IPv6 On This Interface to configure IPv6.
      5. For IPv6 Configuration, select AutoConf or Static.
        Autoconf indicates the Global IP address is derived using stateless address autoconfiguration (SLAAC).
        Choose Static if the IP address is fixed and is manually assigned. Additionally specify the IPv6 Address/Mask, Default Gateway (IPv6), and DNS server(s)(IPv6).
      6. For Propagate LAN State?, leave the default as No or select Yes to propagate the link state of a LAN port to its corresponding WAN port.
      7. For Pair With, choose a pairing port to create a bypass pair and then click Done.
        Set one port as WAN and the second as LAN on the Couple Ports to create a Bypass Pair pop-up.
      8. (Optional) Choose a Circuit Label.
      9. Toggle Scope as Global or Local for Internet and Private WAN.
    5. (optional)For Attached Networks, add the VLAN Network details.
      1. Click Add VLAN.
      2. On the New VLAN Entry pop-up, enter a VLAN, Tags, LAN Network IP Address At Router , IPv6 Address At Router Scope, and Network Context.
      3. Click Create.
    6. Save Bypass Pair.
      You can also create a sub-interface on a bypass pair. If the bypass pair is used for Internet or Private WAN, then the parent interface will be the WAN port. If the bypass pair is used for LAN, then the parent interface will be the LAN port. Each sub-interface should be configured with its own VLAN, IP and subnet.

    © 2025 Palo Alto Networks, Inc. All rights reserved.