Layer 3 Subinterface
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Layer 3 Subinterface
- Network > Interfaces > Ethernet
For each Ethernet port configured as a physical Layer 3 interface,
you can define additional logical Layer 3 interfaces (subinterfaces).
You can also configure Layer 3 subinterfaces for an SD-WAN AE interface.
Create an SD WAN AE interface group, select the group and Add
Subinterface, and specify the following information.
To configure a PA-7000
Series Layer 3 Interface, select a physical interface, Add
Subinterface, and specify the following information.
Layer 3 Subinterface Settings | Configured In | Description |
---|---|---|
Interface Name | Layer3 Subinterface | The read-only Interface Name field
displays the name of the physical interface you selected. In the
adjacent field, enter a numeric suffix (1 to 9,999) to identify
the subinterface. |
Comment | Enter an optional description for the subinterface. | |
Tag | Enter the VLAN tag (1 to 4,094) for the
subinterface. For ease of use, use the same number as the numeric
suffix for the Interface Name. | |
Netflow Profile | If you want to export unidirectional IP
traffic that traverses an ingress subinterface to a NetFlow server,
select the server profile or click Netflow Profile to
define a new profile (see Device
> Server Profiles > NetFlow). Select None to
remove the current NetFlow server assignment from the subinterface. | |
Virtual Router | Layer3 SubinterfaceConfig | Assign a virtual router to the interface,
or click Virtual Router to define a new one
(see Network
> Virtual Routers). Select None to
remove the current virtual router assignment from the interface. |
Virtual System | If the firewall supports multiple virtual
systems and that capability is enabled, select a virtual system
(vsys) for the subinterface or click Virtual System to
define a new vsys. | |
Security Zone | Select a security zone for the subinterface,
or click Zone to define a new zone. Select None to
remove the current zone assignment from the subinterface. | |
Enable SD-WAN | Layer3 SubinterfaceIPv4 | Select to enable SD-WAN on the Layer3 subinterface
for a Layer 3 interface or an SD-WAN AE interface group. |
Enable Bonjour Reflector | (PA-220, PA-800, and PA-3200 series
only) When you enable this option, the firewall forwards Bonjour
multicast advertisements and queries received on and forwarded to this
interface to all other L3 and AE interfaces and subinterfaces where
you enable this option. This helps ensure user access and device
discoverability in network environments that use segmentation to
route traffic for security or administrative purposes. You can enable
this option on up to 16 interfaces. | |
Type | Select the method for assigning an IPv4
address to the subinterface:
Firewalls
that are in a high availability (HA) active/active configuration
don’t support DHCP Client. Based on your IP address
method selection, the options displayed in the tab will vary. | |
IP | Layer3 SubinterfaceIPv4, Type = Static | Add and perform one
of the following steps to specify a static IP address and network
mask for the interface.
You can enter multiple IP addresses
for the interface. The forwarding information base (FIB) your system
uses determines the maximum number of IP addresses. Delete an
IP address when you no longer need it. |
Enable | Layer3 SubinterfaceIPv4, Type = DHCP | Select to activate the DHCP client on the
interface. |
Automatically create default route pointing
to default gateway provided by server | Select to automatically create a default
route that points to the default gateway that the DHCP server provides. | |
Send Hostname | Select to have the firewall (as a DHCP client)
send the hostname of the interface (Option 12) to the DHCP server.
If you Send Hostname, by default, then the hostname of the firewall
is the choice in the hostname field by default. You can send that
name or enter a custom hostname (64 characters maximum including
uppercase and lowercase letters, numbers, periods, hyphens, and
underscores. | |
Default Route Metric | (Optional) For the route between
the firewall and DHCP server, you can enter a route metric (priority
level) to associate with the default route and to use for path selection (range
is 1 to 65535; there is no default). The priority level increases
as the numeric value decreases. | |
Show DHCP Client Runtime Info | Select Show DHCP Client Runtime
Info to display all settings received from the DHCP
server, including DHCP lease status, dynamic IP address assignment,
subnet mask, gateway, and server settings (DNS, NTP, domain, WINS, NIS,
POP3, and SMTP). | |
Enable IPv6 on the interface | Layer3 SubinterfaceIPv6 | Select to enable IPv6 addressing on this
interface. |
Interface ID | Enter the 64-bit extended unique identifier
(EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29).
If you leave this field blank, the firewall uses the EUI-64 generated
from the MAC address of the physical interface. If you enable the Use
interface ID as host portion option when adding an address,
the firewall uses the interface ID as the host portion of that address. | |
Address | Click Add and configure
the following parameters for each IPv6 address:
| |
Enable Duplication Address Detection | Layer3 SubinterfaceIPv6Address Resolution | Select to enable duplicate address detection
(DAD), then configure the other fields in this section. |
DAD Attempts | Specify the number of DAD attempts within
the neighbor solicitation interval (NS Interval)
before the attempt to identify neighbors fails (range is 1 to 10;
default is 1). | |
Reachable Time | Specify the length of time, in seconds,
that a neighbor remains reachable after a successful query and response (range
is 1 to 36,000; default is 30). | |
NS Interval (neighbor solicitation interval) | Specify the number of seconds for DAD attempts
before failure is indicated (range is 1 to 10; default is 1). | |
Enable NDP Monitoring | Select to enable Neighbor Discovery Protocol
(NDP) monitoring. When enabled, you can select NDP ( | |
Enable Router Advertisement | Layer3 SubinterfaceIPv6Router Advertisement | To provide Neighbor Discovery on IPv6 interfaces,
select and configure the other fields in this section. IPv6 DNS
clients that receive the router advertisement (RA) messages use this
information. RA enables the firewall to act as a default gateway
for IPv6 hosts that are not statically configured and to provide
the host with an IPv6 prefix for address configuration. You can use
a separate DHCPv6 server in conjunction with this feature to provide
DNS and other settings to clients. This is a global setting
for the interface. If you want to set RA options for individual
IP addresses, Add and configure an Address in
the IP address table. If you set RA options for any IP address,
you must Enable Router Advertisement for the
interface. |
Min Interval (sec) | Specify the minimum interval, in seconds,
between RAs that the firewall will send (range is 3 to 1,350; default
is 200). The firewall will send RAs at random intervals between
the minimum and maximum values you configure. | |
Max Interval (sec) | Specify the maximum interval, in seconds,
between RAs that the firewall will send (range is 4 to 1,800; default
is 600). The firewall will send RAs at random intervals between
the minimum and maximum values you configure. | |
Hop Limit | Specify the hop limit to apply to clients
for outgoing packets (range is 1 to 255; default is 64). Enter 0
for no hop limit. | |
Link MTU | Specify the link maximum transmission unit
(MTU) to apply to clients. Select unspecified for
no link MTU (range is 1,280 to 9,192; default is unspecified). | |
Reachable Time (ms) | Specify the reachable time (in milliseconds)
that the client will use to assume a neighbor is reachable after
receiving a reachability confirmation message. Select unspecified for no
reachable time value (range is 0 to 3,600,000; default is unspecified). | |
Retrans Time (ms) | Specify the retransmission timer that determines
how long the client will wait (in milliseconds) before retransmitting neighbor
solicitation messages. Select unspecified for
no retransmission time (range is 0 to 4,294,967,295; default is unspecified). | |
Router Lifetime (sec) | Specify how long, in seconds, the client
will use the firewall as the default gateway (range is 0 to 9,000;
default is 1,800). Zero specifies that the firewall is not the default gateway.
When the lifetime expires, the client removes the firewall entry
from its Default Router List and uses another router as the default
gateway. | |
Router Preference | If the network segment has multiple IPv6
routers, the client uses this field to select a preferred router.
Select whether the RA advertises the firewall router as having a High, Medium (default),
or Low priority relative to other routers on
the segment. | |
Managed Configuration | Select to indicate to the client that addresses
are available via DHCPv6. | |
Other Configuration | Select to indicate to the client that other
address information (for example, DNS-related settings) is available
via DHCPv6. | |
Consistency Check | Layer3 SubinterfaceIPv6Router Advertisement (cont) | Select if you want the firewall to verify
that RAs sent from other routers are advertising consistent information
on the link. The firewall logs any inconsistencies in a system log; the
type is ipv6nd. |
Include DNS information in Router Advertisement | Layer3 SubinterfaceIPv6DNS Support | Select for the firewall to send DNS information
in NDP router advertisements from this IPv6 Ethernet subinterface.
The other DNS Support fields in this table are visible only after you
select this option. |
Server | Add one or more recursive
DNS (RDNS) server addresses for the firewall to send in NDP router
advertisements from this IPv6 Ethernet interface. RDNS servers send
a series of DNS look up requests to root DNS and authoritative DNS servers
to ultimately provide an IP address to the DNS client. You
can configure a maximum of 8 RDNS Servers that the firewall sends—in
order listed from top to bottom—in an NDP router advertisement to
the recipient, which then uses them in the same order. Select a
server and Move Up or Move Down to
change the order of the servers or Delete a
server from the list when you no longer need it. | |
Lifetime | Enter maximum number of seconds after the
IPv6 DNS client receives the router advertisement before the client
can use an RDNS server to resolve domain names (range is Max Interval
(sec) to twice Max Interval; default is 1,200). | |
Suffix | Layer3 SubinterfaceIPv6DNS Support (cont) | Add one or more domain
names (suffixes) for the DNS search list (DNSSL). Maximum length
is 255 bytes. A DNS search list is a list of domain suffixes
that a DNS client router appends (one at a time) to an unqualified domain
name before it enters the name into a DNS query, thereby using a
fully qualified domain name in the query. For example, if a DNS
client tries to submit a DNS query for the name “quality” without
a suffix, the router appends a period and the first DNS suffix from
the DNS search list to the name and transmits the DNS query. If
the first DNS suffix on the list is “company.com”, the resulting
query from the router is for the fully qualified domain name “quality.company.com”. If
the DNS query fails, the router appends the second DNS suffix from
the list to the unqualified name and transmits a new DNS query.
The router uses the DNS suffixes until a DNS lookup is successful
(ignores the remaining suffixes) or until the router has tried all
of suffixes on the list. Configure the firewall with the suffixes
that you want to provide to the DNS client router in a Neighbor
Discovery DNSSL option; the DNS client receiving the DNSSL option uses
the suffixes in its unqualified DNS queries. You can configure
a maximum of 8 domain names (suffixes) for a DNS search list option
that the firewall sends—in order listed from top to bottom— in an
NDP router advertisement to the recipient, which uses them in the
same order. Select a suffix and Move Up or Move
Down to change the order or Delete a
suffix when you no longer need it. |
Lifetime | Layer3 SubinterfaceIPv6DNS Support (cont) | Enter the maximum number of seconds after
the IPv6 DNS client receives the router advertisement that it can
use a domain name (suffix) on the DNS search list (range is the value
of Max
Interval (sec) to twice the Max Interval; default is 1,200). |
SD-WAN Interface Profile | Layer3 SubinterfaceSD-WAN | Select an SD-WAN Interface Profile to assign
to this subinterface or create a new profile. |
Management Profile | Layer3 SubinterfaceAdvancedOther Info | Management Profile—Select
a profile that defines the protocols (for example, SSH, Telnet,
and HTTP) you can use to manage the firewall over this interface.
Select None to remove the current profile
assignment from the interface. |
MTU | Enter the maximum transmission unit (MTU)
in bytes for packets sent on this interface (range is 576 to 9,192;
default is 1,500). If machines on either side of the firewall perform Path
MTU Discovery (PMTUD) and the interface receives a packet exceeding
the MTU, the firewall returns an ICMP fragmentation needed message
to the source indicating the packet is too large. | |
Adjust TCP MSS | Layer3 SubinterfaceAdvancedOther Info | Select to adjust the maximum segment size
(MSS) to accommodate bytes for any headers within the interface MTU
byte size. The MTU byte size minus the MSS Adjustment Size equals
the MSS byte size, which varies by IP protocol:
Use these settings to
address the case where a tunnel through the
network requires a smaller MSS. If a packet has more bytes than
the MSS without fragmentation, this setting enables the adjustment. Encapsulation
adds length to headers so it helps to configure the MSS adjustment
size to allow bytes for such things as an MPLS header or tunneled
traffic that has a VLAN tag. |
IP Address MAC Address | Layer3 SubinterfaceAdvancedARP Entries | To add one or more static Address Resolution
Protocol (ARP) entries, Add an IP address
and its associated hardware [media access control (MAC)] address.
To delete an entry, select the entry and click Delete.
Static ARP entries reduce ARP processing. |
IPv6 Address MAC Address | Layer3 SubinterfaceAdvancedND Entries | To provide neighbor information for Neighbor
Discovery Protocol (NDP), Add the IP address
and MAC address of the neighbor. |
Enable NDP Proxy | Layer3 SubinterfaceAdvancedNDP Proxy | Enable Neighbor Discovery Protocol (NDP)
proxy for the interface. The firewall will respond to ND packets
requesting MAC addresses for IPv6 addresses in this list. In the
ND response, the firewall sends its own MAC address for the interface
so that the firewall will receive the packets meant for the addresses
in the list. It is recommended that you enable NDP proxy if
you are using Network Prefix Translation IPv6 (NPTv6). If
you selected Enable NDP Proxy, you can filter
numerous Address entries by entering a filter
and clicking Apply Filter (gray arrow). |
Address | Add one or more IPv6
addresses, IP ranges, IPv6 subnets, or address objects for which
the firewall will act as NDP proxy. Ideally, one of these addresses
is the same address as that of the source translation in NPTv6.
The order of addresses does not matter. If the address is
a subnetwork, the firewall will send an ND response for all addresses
in the subnet, so we recommend you also add the IPv6 neighbors of
the firewall and then click Negate to instruct
the firewall not to respond to these IP addresses. | |
Negate | Negate an address
to prevent NDP proxy for that address. You can negate a subset of
the specified IP address range or IP subnet. | |
Settings | Layer3 SubinterfaceAdvancedDDNS | Select Settings to
make the DDNS fields available to configure. |
Enable | Enable DDNS on the interface. You must initially
enable DDNS to configure it. (If your DDNS configuration is unfinished,
you can save it without enabling it so that you don’t lose your
partial configuration.) | |
Update Interval (days) | Layer3 SubinterfaceAdvancedDDNS | Enter the interval (in days) between updates
that the firewall sends to the DDNS server to update IP addresses
mapped to FQDNs (range is 1 to 30; default is 1). The
firewall also updates DDNS upon receiving a new IP address for the
interface from the DHCP server. |
Certificate Profile | Create a Certificate Profile to
verify the DDNS service. The DDNS service presents the firewall
with a certificate signed by the certificate authority (CA). | |
Hostname | Enter a hostname for the interface, which
is registered with the DDNS Server (for example, host123.domain123.com,
or host123). The firewall does not validate the hostname except
to confirm that the syntax uses valid characters allowed by DNS
for a domain name. | |
Vendor | Layer3 SubinterfaceAdvancedDDNS | Select the DDNS vendor (and version) that
provides DDNS service to this interface:
If you select an older version of a DDNS service
that the firewall indicates will be phased out by a certain date,
move to the newer version. The Name and Value fields
that follow the vendor name are vendor-specific. The read-only fields
notify you of parameters that the firewall uses to connect to the
DDNS service. Configure the other fields, such as a password that the
DDNS service provides to you and a timeout that the firewall uses
if it doesn’t receive a response from the DDNS server. |
IPv4 tab - IP | Add the IPv4 addresses configured on the
interface and then select them. You can select only as many IPv4
addresses as the DDNS provider allows. All selected IP addresses
are registered with the DDNS provider (Vendor). | |
IPv6 tab - IPv6 | Add the IPv6 addresses configured on the
interface and then select them. You can select only as many IPv6
addresses as the DDNS provider allows. All selected IP addresses
are registered with the DDNS provider (Vendor). | |
Show Runtime Info | Layer3 SubinterfaceAdvancedDDNS | Displays the DDNS registration: DDNS provider,
resolved FQDN, and the mapped IP address(es) with an asterisk (*) indicating
the primary IP address. Each DDNS provider has its own return codes
to indicate the status of the hostname update, and a return date,
for troubleshooting purposes. |