1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?

id=kA10g000000ClRqCAK

GETTING STARTED: LAYER 2 INTERFACES

Created On 09/25/18 18:55 PM - Last Updated 09/25/18 23:11 PM

Resolution
WHAT MORE CAN MY FIREWALL DO? LAYER 2 INTERFACES—
7889

In the previous installments of Getting Started, we covered how to set up the rewall from scratch. In this next series, we'll be covering more advanced con guration features that will help you ne tune
your rewall to better suit your environment. This week, we'll take a look at Layer 2 interfaces and how the rewall can be set up to provide bridging between VLANs while enforcing security policies and
providing threat prevention to keep your network secure.

We already covered VLAN tags as Layer 3 subinterfaces in Getting Started — Layer 3 Subinterfaces, but PAN-OS also enables you to create true Layer 2 interfaces that act the same way a switch would.

We'll start with a simple example where we have two Layer 2 interfaces in the same zone and the same VLAN. This scenario could be practical if, for example, you have both servers and clients on the same
IP subnet and want to allow sessions to be formed, but need to control which applications are used, and/or need to provide threat prevention without changing the IP subnet.

On the switch, you could set each set of machines into a separate VLAN, for example, servers in VLAN 20 and clients in VLAN 30, and have the rewall serve as a bridge between these VLANS:

1. First, you'll need to create a VLAN interface to be used by the physical interfaces we will set to Layer 2. Navigate to the Network tab, open Interfaces from the left pane
and open the VLAN tab. There will already be one default VLAN interface present, which you can reuse if you like, but we'll create a new one by clicking the Add button.

You'll assign the interface an ID, add any relevant comment and assign the interface to the default Virtual Router and add it to the Trust zone. Note that the ID is simply
an identi cation number for the interface and does not in uence any 802.1Q tagging.

If you then try to assign a VLAN to the interface, you'll notice there aren't any available yet, so go ahead and click the new VLAN link to start creating a new VLAN
object.

Simply give it a name and click OK for now.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK 1/7
1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

The VLAN interface should look somewhat like this. Go ahead and click OK.

2. From here, we're going to set interfaces ethernet1/2 Layer2 and set the proper VLAN con guration. Navigate to the Ethernet tab and open interface ethernet1/2's
properties, then change the Interface Type to Layer2.

After setting the interface to Layer2, set the VLAN to the newly created VLAN object, but notice that the security zone does not show any option. This is because we
have not yet created any Layer 2 Security Zones. 

Any Security Zone con gured on the rewall is also attached to a speci c network type, like Layer 3, VWire, or Layer 2. In the VLAN con guration in Step 1, we added
the VLAN.100 interface to the default router and Layer 3 Trust Security Zone. This is to allow traf c to pass from Layer 2 to Layer 3. We'll take a look at that after we've
completed this phase of the Layer 2 introduction.

Click the new Zone link to create a new zone named L2-Trust:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK 2/7
1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

3. Repeat the above step for interface ethernet1/3.

4. The last stage is to create an intrazone security policy to allow more granular control over applications connecting both segments and applying security pro les to these
sessions. Open the Policies tab and navigate to Security on the left pane. Click Add to create a new security policy. From the Rule Type dropdown, select 'intrazone' as
the Type.

Next, navigate to the Source tab, click Add, and set the source zone to L2-Trust.

Because this is an intrazone Security Policy, the destination zone selection has been made inaccessible and is dependent on the source con guration.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK 3/7
1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

Set the applications to what is appropriate between the segments. These are solely the applications you want to allow between the internal hosts. This does not apply to
any connections going to or coming from other networks.

Lastly, set security pro les so any sessions between your internal hosts are also inspected for vulnerabilities, exploits, viruses, and so on.

Your security policy should now look similar to this:

Rule1, as seen above, will be used in the next segment, Layer2 Routing.

This con guration will ensure your hosts all remain on the same IP subnet, but can be segregated depending on their role.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK 4/7
1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

More interfaces can be added to provide even more segments or tagged subinterfaces can be added in a similar fashion as described in Getting Started: Layer 3 — Subinterfaces.

Layer 2 Routing

As the next step, you may want to enable internet access for the hosts in your network, so you will need to enable some Layer 3 functionality in the Layer2  con g. You may have noticed some Layer 3-
looking con guration in the VLAN con guration earlier, and this is where we will need to enable the functionality.

1. Navigate back to the Network tab.

2. Access Interfaces on the left pane.
3. Open the VLAN tab.
4. Edit the vlan.100 object.
5. Navigate to the IPv4 tab.
6. Click Add.
7. Enter the IP address the hosts on your network will use as the default gateway, with its subnet mask.

The VLAN interface now functions as a Layer 3 interface towards the outside world. Any sessions originating from your internal hosts to the outside world will be handled by the rewall as coming from
the Layer 3 Trust zone going to the Layer 3 Untrust zone.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK 5/7
1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

Please be aware you may need some additional con guration to allow for outbound connections, including the default route in your virtual router, NAT con guration so the internal IP subnet is translated
to the public IP address of the rewall and maybe a DHCP server to automatically assign IP addresses to workstations joining your network. Please take a look at Getting Started — Layer 3, NAT, and
DHCP where we cover these con guration steps in more detail.

The NAT policy required to reach the internet:

The Virtual Router con guration:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK 6/7
1/17/2019 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK

I hope you enjoyed this article and found it useful. Feel free to post any remarks or questions in the comment section below.

Regards,

Tom

For more details on Layer 2 interfaces, please take a look at the Tech note on Layer 2 Networking.

Attachments

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRqCAK 7/7