PCNSA – 2.6

Identify and configure firewall interfaces.

Palo Alto Networks PCNSA Study Guide v10

Special Interfaces

  • Decrypt Mirror: Allows traffic that has been decrypted to be sent to other tools for analysis. This is not available on VM-Series firewalls.
  • Log card: On the PA-7000 series firewalls a log card data is used for forwarding syslog, email, SNMP and WildFire file forwarding. One data port on a PA-7000 MUST be configured as a log card interface as the MGT interface cannot handle the load.
  • Aggregate (Etherchannel): Used to bundle physical interfaces using LACP. Not supported by VM-Series. PA-3200, 5200, and most 7000 series support 16, other models support 8. The PA7000 with PA-7000-100G-NPC-A and SMC-B can support 32, but only the first 16 can do QoS. All other models support QoS only on the first 8.
  • HA interface: Used for High Availability services. One is for configuration synchronization, the other is for state. If in an active/active pair a third HA interface is used for packet forwarding.
  • Management (MGT): Management of the control plane.
  • Loopback: Virtual L3 interfaces used for network engineering and as destinations for sinkholes, GlobalProtect and routing protocols.
  • Tunnel: Logical interface used with VPNs to deliver the encrypted traffic. It must be assigned to a zone and to a virtual router. An IP is only required for tunnel monitoring or dynamic routing.
  • SD-WAN: Specifies a physical SD-WAN capable interface that goes to the same hub or to the internet. Details about this type are out of scope for PCNSA.

Traffic Interfaces

  • Tap: Monitors traffic sent to it by a switch SPAN port. Tap interfaces are analyzed for App-ID, User-ID, Content-ID just like any normal traffic offering visibility without interruption. Tap interfaces MUST be assigned to a Tap Zone.
  • Virtual Wire: Used to pass traffic by binding two Ethernet interfaces. They are often used to pass traffic between an existing firewall and the secured network before migration.
    • No IP or MAC addresses are assigned to the virtual wire. No routing or switching.
    • Two virtual wire interfaces each in a virtual wire zone and a virtual wire object are required for the configuration.
    • Subinterfaces can separate traffic into different zones based on VLAN tags or IP classifiers
  • Layer 2: L2 Interfaces are used to switch traffic between other L2 interfaces. Must be assigned to a VLAN object. These interfaces do NOT participate in spanning tree other than forwarding BPDUs. Like with virtual wires subinterfaces can be configured.
  • Layer 3: L3 Interfaces allow routing traffic between interfaces. A virtual router object must exist for routing between interfaces. L3 interfaces must have IPs assigned. L3 Interfaces can have settings like MTU, ARP, LLDP and IPv6 NDP set under the advanced tab for the interface. Management of a firewall can occur over a L3 interface with an appropriate Interface Management Profile. They can have one or more IPv4/v6 addresses and can use DHCP. L3 subinterfaces can also be created.