Layer 3 Interface
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > GTP Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Device Block List
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Layer 3 Interface
Configure an Ethernet Layer 3 interface to which you
can route traffic.
- Network > Interfaces > Ethernet
Configure an Ethernet Layer 3 interface to which
you can route traffic.
Layer 3 Interface Settings | Description |
---|---|
Interface Name | The read-only Interface Name is
the name of the physical interface you selected. |
Comment | Enter a user-friendly description for the
interface. |
Interface Type | Select Layer3. |
NetFlow Profile | If you want to export unidirectional IP
traffic that traverses an ingress interface to a NetFlow server,
select an existing NetFlow profile or create a new NetFlow
Profile (see Device
> Server Profiles > NetFlow). Select None to remove
the current NetFlow server assignment from the interface. |
Config Tab | |
Virtual Router | Assign a virtual router to the interface
or define a new Virtual Router (see Network
> Virtual Routers). Select None to
remove the current virtual router assignment from the interface. |
Virtual System | If the firewall supports multiple virtual
systems and that capability is enabled, select an existing virtual
system (vsys) for the interface or define a new Virtual
System. |
Security Zone | Select an existing security zone for the
interface or define a new Zone. Select None to remove
the current zone assignment from the interface. |
IPv4 Tab | |
Enable SD-WAN | Select Enable SD-WAN to
enable SD-WAN functionality for the Ethernet interface. |
IPv4 Type = Static | |
IP | Add and perform one of the following steps
to specify a static IP address and network mask for the interface.
You can enter multiple IP addresses
for the interface. The forwarding information base (FIB) your firewall
uses determines the maximum number of IP addresses. Delete an
IP address when you no longer need it. |
Next Hop Gateway | If you did Enable SD-WAN,
enter the IPv4 address of the Next Hop gateway. |
IPv4 Type = PPPoE, General
Tab | |
Enable | Select Enable to
activate the interface for Point-to-Point Protocol over Ethernet
(PPPoE) termination. The interface is a PPPoE termination point
to support connectivity in a Digital Subscriber Line (DSL) environment
where there is a DSL modem but no other PPPoE device to terminate
the connection. |
Username | Enter the username your ISP provided for
the point-to-point connection. |
Password and Confirm Password | Enter the password and confirm the password. |
Show PPPoE Client Runtime Info | View information about the PPPoE interface. |
IPv4 Type = PPPoE, Advanced
Tab | |
Authentication | Select an authentication method:
|
Static Address | Request a desired IPv4 address from the
PPPoE server; the PPPoE server may assign that address or another
address. |
automatically create default route pointing
to peer | Select this option to automatically create
a default route that points to the default gateway that the PPPoE
server provides. |
Default Route Metric | Enter the default route metric (priority
level) for the PPPoE connection (default is 10). A route with a
lower number has higher priority during route selection. For example,
the firewall uses a route with a metric of 10 before a route with
a metric of 100. |
Access Concentrator | If your ISP provided the name of an Access
Concentrator, enter that name. The firewall will connect to this
Access Concentrator on the IPS end. This is a string value of 0
to 255 characters. |
Service | The firewall (PPPoE client) can provide
the desired service request to the PPPoE server. This is a string
value of 0 to 255 characters. |
Passive | The firewall (PPPOE client) waits for the
PPPoE server to initiate a connection. If this is not enabled, the
firewall initiates a connection. |
IPv4 Tab, Type = DHCP Client | |
Enable | Enable the interface to act as a Dynamic
Host Configuration Protocol (DHCP) client and receive a dynamically
assigned IP address. Firewalls that are in a high availability
(HA) active/active configuration don’t support DHCP Client. |
Automatically create default route pointing
to default gateway provided by server | Instruct the firewall to create a static
route to a default gateway. The default gateway is useful when clients
are trying to access many destinations that don’t need to have routes
maintained in a routing table on the firewall. |
Send Hostname | Select this option to assign a hostname
to the DHCP client interface and send that hostname (Option 12)
to a DHCP server, which can register the hostname with the DNS server.
The DNS server can then automatically manage hostname-to-dynamic
IP address resolutions. External hosts can identify the interface
by its hostname. The default value indicates system-hostname,
which is the firewall hostname that you set in DeviceSetupManagementGeneral Settings. Alternatively,
enter a hostname for the interface, which can be a maximum of 64
characters, including uppercase and lowercase letters, numbers,
period, hyphen, and underscore. |
Default Route Metric | Enter a default route metric (priority level)
for the route between the firewall and the DHCP server (range is
1 to 65,535; there is no default metric). A route with a lower number
has higher priority during route selection. For example, the firewall
uses a route with a metric of 10 before a route with a metric of
100. |
Show DHCP Client Runtime Info | View all settings the client inherited from
its DHCP server, including DHCP lease status, dynamic IP address
assignment, subnet mask, gateway, and server settings (DNS, NTP,
domain, WINS, NIS, POP3, and SMTP). |
IPv6 Tab | |
Enable IPv6 on the interface | Select to enable IPv6 addressing on the
interface. |
Interface ID | Enter the 64-bit extended unique identifier (EUI-64)
in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If
you leave this field blank, the firewall uses the EUI-64 generated
from the MAC address of the physical interface. If you Use
interface ID as host portion when adding an address,
the firewall uses the interface ID as the host portion of that address. |
Address | Add an IPv6 address and prefix length (for
example, 2001:400:f00::1/64). Alternatively, select an existing
IPv6 address object or create a new IPv6 address object. |
Enable address on interface | Enable the IPv6 address on the interface. |
Use interface ID as host portion | Select to use the Interface ID as
the host portion of the IPv6 address. |
Anycast | Select to include routing through the nearest
node. |
Send Router Advertisement | Select to enable router advertisement (RA)
for this IP address. (You must also enable the global Enable
Router Advertisement option on the interface.) For details
about RA, see Enable Router Advertisement in this table. The following
fields apply only if you Enable Router Advertisement:
|
IPv6 Tab, Address Resolution
Tab | |
Enable Duplicate Address Detection | Select to enable duplicate address detection
(DAD), then configure the DAD Attempts, Reachable Time (sec), and
NS Interval. |
DAD Attempts | Specify the number of DAD attempts within
the neighbor solicitation interval (NS Interval)
before the attempt to identify neighbors fails (range is 1 to 10;
default is 1). |
Reachable Time (sec) | Specify the length of time, in seconds,
that a neighbor remains reachable after a successful query and response
(range is 1 to 36,000; default is 30). |
NS Interval (sec) | Specify the number of seconds for DAD attempts
before failure is indicated (range is 1 to 10; default is 1). |
Enable NDP Monitoring | Select to enable Neighbor Discovery Protocol
(NDP) monitoring. When enabled, you can select NDP ( |
IPv6 Tab, Router Advertisement
Tab | |
Enable Router Advertisement | To provide Neighbor Discovery on IPv6 interfaces,
select and configure the other fields in this section. IPv6 DNS
clients that receive the router advertisement (RA) messages use
this information. RA enables the firewall to act as a default
gateway for IPv6 hosts that are not statically configured and to
provide the host with an IPv6 prefix for address configuration.
You can use a separate DHCPv6 server in conjunction with this feature
to provide DNS and other settings to clients. This is a global
setting for the interface. If you want to set RA options for individual
IP addresses, Add and configure an IPv6 address
in the IP address table. If you set RA options for any IPv6 address,
you must Enable Router Advertisement for
the interface. |
Min Interval (sec) | Specify the minimum interval, in seconds,
between RAs that the firewall will send (range is 3 to 1,350; default
is 200). The firewall sends RAs at random intervals between the
minimum and maximum values you configure. |
Max Interval (sec) | Specify the maximum interval, in seconds,
between RAs that the firewall will send (range is 4 to 1,800; default
is 600). The firewall sends RAs at random intervals between the
minimum and maximum values you configure. |
Hop Limit | Specify the hop limit to apply to clients
for outgoing packets (range is 1 to 255; default is 64) or select unspecified, which
maps to a system default. |
Link MTU | Specify the link maximum transmission unit
(MTU) to apply to clients (range is 1,280 to 1,500) or default to unspecified,
which maps to a system default. |
Reachable Time (ms) | Specify the reachable time, in milliseconds,
that the client will use to assume a neighbor is reachable after
receiving a reachability confirmation message (range is 0 to 3,600,000)
or default to unspecified, which maps to
a system default. |
Retrans Time (ms) | Specify the retransmission timer, in milliseconds,
that determines how long the client will wait before retransmitting
neighbor solicitation messages (range is 0 to 4,294,967,295) or
default to unspecified, which maps to a system default. |
Router Lifetime (sec) | Specify how long, in seconds, the client
will use the firewall as the default gateway (range is 0 to 9,000;
default is 1,800). Zero specifies that the firewall is not the default
gateway. When the lifetime expires, the client removes the firewall
entry from its Default Router List and uses another router as the
default gateway. |
Router Preference | If the network segment has multiple IPv6
routers, the client uses this field to select a preferred router.
Select whether the RA advertises the firewall router as having a High, Medium (default),
or Low priority relative to other routers
on the segment. |
Managed Configuration | Select to indicate to the client that addresses
are available via DHCPv6. |
Other Configuration | Select to indicate to the client that other
address information (for example, DNS-related settings) is available
via DHCPv6. |
Consistency Check | Select if you want the firewall to verify
that RAs sent from other routers are advertising consistent information
on the link. The firewall will log any inconsistencies in a system
log; the type is ipv6nd. |
DNS Support Tab Available
if you Enable Router Advertisement on the Router
Advertisement Tab) | |
Include DNS information in Router Advertisement | Select for the firewall to send DNS information
in NDP router advertisements from this IPv6 Ethernet interface.
The other DNS Support fields (Server, Lifetime, Suffix, and Lifetime)
are visible only after you select this option. |
Server | Add one or more recursive
DNS (RDNS) server addresses for the firewall to send in NDP router
advertisements from this IPv6 Ethernet interface. RDNS servers send
a series of DNS look up requests to root DNS and authoritative DNS
servers to ultimately provide an IP address to the DNS client. You
can configure a maximum of eight RDNS Servers that the firewall sends—listed
in order from top to bottom—in an NDP router advertisement to the
recipient, which then uses them in that same order. Select a server and Move
Up or Move Down to change the
order of the servers or Delete a server from
the list when you no longer need it. |
Lifetime | Enter the maximum number of seconds after
the IPv6 DNS client receives the router advertisement before the
client can use an RDNS server to resolve domain names (range is Max
Interval (sec) to twice Max Interval (sec); default
is 1,200). |
Suffix | Add one or more domain
names (suffixes) for the DNS search list (DNSSL). Maximum length
is 255 bytes. A DNS search list is a list of domain suffixes
that a DNS client router appends (one at a time) to an unqualified
domain name before it enters the name into a DNS query, thereby
using a fully qualified domain name in the query. For example, if
a DNS client tries to submit a DNS query for the name “quality”
without a suffix, the router appends a period and the first DNS suffix
from the DNS search list to the name and transmits the DNS query.
If the first DNS suffix on the list is “company.com”, the resulting
query from the router is for the fully qualified domain name “quality.company.com”. If
the DNS query fails, the router appends the second DNS suffix from the
list to the unqualified name and transmits a new DNS query. The
router uses the DNS suffixes until a DNS lookup is successful (ignores
the remaining suffixes) or until the router has tried all of suffixes
on the list. Configure the firewall with the suffixes that
you want to provide to the DNS client router in a Neighbor Discovery
DNSSL option; the DNS client receiving the DNSSL option uses the
suffixes in its unqualified DNS queries. You can configure
a maximum of eight domain names (suffixes) for a DNS search list
option that the firewall sends—listed in order from top to bottom—in
an NDP router advertisement to the recipient, which uses them in the
same order. Select a suffix and Move Up or Move
Down to change the order or Delete a
suffix when you no longer need it. |
Lifetime | Enter the maximum number of seconds after
the IPv6 DNS client receives the router advertisement that it can
use a domain name (suffix) on the DNS search list (range is the
value of Max Interval (sec) to twice Max
Interval (sec); default is 1,200). |
SD-WAN Tab | |
SD-WAN Interface Status | If you selected Enable SD-WAN on
the IPv4 tab, the firewall indicates SD-WAN Interface Status: Enabled.
If you did not Enable SD-WAN, the firewall
indicates SD-WAN status is Disabled. |
SD-WAN Interface Profile | Select an existing SD-WAN Interface Profile
to apply to this Ethernet interface or add a new SD-WAN Interface
Profile. You must Enable SD-WAN for
the interface before you can apply an SD-WAN Interface Profile. |
Advanced Tab | |
Link Speed | Select the interface speed in Mbps (10, 100,
or 1000) or select auto. |
Link Duplex | Select whether the interface transmission
mode is full-duplex, half-duplex, or auto-negotiated. |
Link State | Select whether the interface status is enabled (up),
disabled (down), or determined automatically
(auto). |
Advanced Tab. Other Info
Tab | |
Management Profile | Select a Management profile that defines
the protocols (for example, SSH, Telnet, and HTTP) you can use to
manage the firewall over this interface. Select None to
remove the current profile assignment from the interface. |
MTU | Enter the maximum transmission unit (MTU)
in bytes for packets sent on this interface (range is 576 to 9,192;
default is 1,500). If machines on either side of the firewall perform
Path MTU Discovery (PMTUD) and the interface receives a packet exceeding
the MTU, the firewall returns an ICMP fragmentation needed message
to the source indicating the packet is too large. |
Adjust TCP MSS | Select to adjust the maximum segment size
(MSS) to accommodate bytes for any headers within the interface
MTU byte size. The MTU byte size minus the MSS Adjustment Size equals
the MSS byte size, which varies by IP protocol:
Use these settings to address the
case where a tunnel through the network requires
a smaller MSS. If a packet has more bytes than the MSS without fragmentation,
this setting enables the adjustment. Encapsulation adds length
to headers so it helps to configure the MSS adjustment size to allow
bytes for such things as an MPLS header or tunneled traffic that
has a VLAN tag. |
Untagged Subinterface | Select this option if the corresponding
subinterfaces for this interface aren’t tagged. |
Advanced Tab, ARP Entries
Tab | |
IP Address MAC Address | To add one or more static Address Resolution
Protocol (ARP) entries, Add an IP address
and its associated hardware [media access control (MAC)] address.
To delete an entry, select the entry and Delete it.
Static ARP entries reduce ARP processing. |
Advanced Tab, ND Entries
Tab | |
IPv6 Address MAC Address | To provide neighbor information for Neighbor
Discovery Protocol (NDP), Add the IPv6 address
and MAC address of the neighbor. |
Advanced Tab, NDP Proxy
Tab | |
Enable NDP Proxy | Enable Neighbor Discovery Protocol (NDP)
proxy for the interface. The firewall will respond to ND packets
requesting MAC addresses for IPv6 addresses in this list. In the
ND response, the firewall sends its own MAC address for the interface
so that the firewall will receive the packets meant for the addresses
in the list. It is recommended that you enable NDP proxy if
you are using Network Prefix Translation IPv6 (NPTv6). If
you selected Enable NDP Proxy, you can filter
numerous Address entries by entering a filter and
then you Apply Filter (gray arrow). |
Address | Add one or more IPv6
addresses, IP ranges, IPv6 subnets, or address objects for which
the firewall will act as NDP proxy. Ideally, one of these addresses
is the same address as that of the source translation in NPTv6.
The order of addresses has no impact. If the address is a
subnetwork, the firewall will send an ND response for all addresses
in the subnet, so we recommend you also add the IPv6 neighbors of
the firewall and then Negate those neighbors
to instruct the firewall not to respond to these IP addresses. |
Negate | Negate an address
to prevent NDP proxy for that address. You can negate a subset of
the specified IP address range or IP subnet. |
Advanced Tab, LLDP Tab | |
Enable LLDP | Enable Link Layer Discovery Protocol (LLDP)
for the interface. LLDP functions at the link layer to discover
neighboring devices and their capabilities by sending and receiving
LLDP data units to and from neighbors. |
LLDP Profile | Select an existing LLDP Profile or create
a new LLDP Profile.
The profile is the way in which you configure the LLDP mode, enable
syslog and SNMP notifications, and configure the optional Type-Length-Values
(TLVs) you want transmitted to LLDP peers. |
Advanced Tab, DDNS Tab | |
Settings | Select Settings to
make the DDNS fields available to configure. |
Enable | Enable DDNS on the interface—you must initially
enable DDNS to configure it. (If your DDNS configuration is unfinished,
you can save it without enabling it so that you don’t lose your
partial configuration.) |
Update Interval (days) | Enter the interval, in days, between updates
that the firewall sends to the DDNS server to update IP addresses
mapped to FQDNs (range is 1 to 30; default is 1). The
firewall also updates DDNS upon receiving a new IP address for the
interface from the DHCP server. |
Certificate Profile | Create a Certificate Profile to
verify the DDNS service. The DDNS service presents the firewall
with a certificate signed by the certificate authority (CA). |
Hostname | Enter a hostname for the interface, which
is registered with the DDNS Server (for example, host123.domain123.com
or host123). The firewall does not validate the hostname except
to confirm that the syntax uses valid characters allowed by DNS
for a domain name. |
Vendor | Select the DDNS vendor (and version) that
provides DDNS service to this interface:
If
you select an older version of a DDNS service and the firewall indicates
that it will be phased out by a certain date, select the newer version,
instead. The Name and Value fields
that follow the vendor name are vendor-specific. The read-only fields
notify you of parameters that the firewall uses to connect to the
DDNS service. Configure the other fields, such as a password that
the DDNS service provides to you and a timeout that the firewall
uses if it doesn’t receive a response from the DDNS server. |
IPv4 Tab | Add the IPv4 addresses configured on the
interface and then select them. You can select only as many IPv4
addresses as the DDNS provider allows. All selected IP addresses
are registered with the DDNS provider (Vendor). |
IPv6 Tab | Add the IPv6 addresses configured on the
interface and then select them. You can select only as many IPv6
addresses as the DDNS provider allows. All selected IP addresses
are registered with the DDNS provider (Vendor). |
Show Runtime Info | Displays the DDNS registration: DDNS provider,
resolved FQDN, and the mapped IP address(es) with an asterisk (*)
indicating the primary IP address. Each DDNS provider has its own
return codes to indicate the status of the hostname update, and
a return date, for troubleshooting purposes. |