In the previous installments of Getting Started, we covered how to set up the firewall from scratch. In this next series, we'll be covering more advanced configuration features that will help you fine tune your firewall to better suit your environment. This week, we'll take a look at Layer 2 interfaces and how the firewall can be set up to provide bridging between VLANs while enforcing security policies and providing threat prevention to keep your network secure.
We already covered VLAN tags as Layer 3 subinterfaces in Getting Started — Layer 3 Subinterfaces, but PAN-OS also enables you to create true Layer 2 interfaces that act the same way a switch would.
We'll start with a simple example where we have two Layer 2 interfaces in the same zone and the same VLAN. This scenario could be practical if, for example, you have both servers and clients on the same IP subnet and want to allow sessions to be formed, but need to control which applications are used, and/or need to provide threat prevention without changing the IP subnet.
On the switch, you could set each set of machines into a separate VLAN, for example, servers in VLAN 20 and clients in VLAN 30, and have the firewall serve as a bridge between these VLANS:
After setting the interface to Layer2, set the VLAN to the newly created VLAN object, but notice that the security zone does not show any option. This is because we have not yet created any Layer 2 Security Zones.
Any Security Zone configured on the firewall is also attached to a specific network type, like Layer 3, VWire, or Layer 2. In the VLAN configuration in Step 1, we added the VLAN.100 interface to the default router and Layer 3 Trust Security Zone. This is to allow traffic to pass from Layer 2 to Layer 3. We'll take a look at that after we've completed this phase of the Layer 2 introduction.
Click the new Zone link to create a new zone named L2-Trust:
Next, navigate to the Source tab, click Add, and set the source zone to L2-Trust.
Because this is an intrazone Security Policy, the destination zone selection has been made inaccessible and is dependent on the source configuration.
Set the applications to what is appropriate between the segments. These are solely the applications you want to allow between the internal hosts. This does not apply to any connections going to or coming from other networks.
Lastly, set security profiles so any sessions between your internal hosts are also inspected for vulnerabilities, exploits, viruses, and so on.
Your security policy should now look similar to this:
This configuration will ensure your hosts all remain on the same IP subnet, but can be segregated depending on their role.
More interfaces can be added to provide even more segments or tagged subinterfaces can be added in a similar fashion as described in Getting Started: Layer 3 — Subinterfaces.
As the next step, you may want to enable internet access for the hosts in your network, so you will need to enable some Layer 3 functionality in the Layer2 config. You may have noticed some Layer 3-looking configuration in the VLAN configuration earlier, and this is where we will need to enable the functionality.
The VLAN interface now functions as a Layer 3 interface towards the outside world. Any sessions originating from your internal hosts to the outside world will be handled by the firewall as coming from the Layer 3 Trust zone going to the Layer 3 Untrust zone.
Please be aware you may need some additional configuration to allow for outbound connections, including the default route in your virtual router, NAT configuration so the internal IP subnet is translated to the public IP address of the firewall and maybe a DHCP server to automatically assign IP addresses to workstations joining your network. Please take a look at Getting Started — Layer 3, NAT, and DHCP where we cover these configuration steps in more detail.
The NAT policy required to reach the internet:
The Virtual Router configuration:
For more details on Layer 2 interfaces, please take a look at the Tech note on Layer 2 Networking .