Getting Started: Layer 2 Interfaces
Environment
- Palo Alto Firewall.
- PAN-OS.
- Layer 2 Interfaces.
Resolution
What more can my firewall do? Layer 2 interfaces—
In the previous installments of Getting Started, we covered how to set up the firewall from scratch. In this next series, we'll be covering more advanced configuration features that will help you fine tune your firewall to better suit your environment. This week, we'll take a look at Layer 2 interfaces and how the firewall can be set up to provide bridging between VLANs while enforcing security policies and providing threat prevention to keep your network secure.
We already covered VLAN tags as Layer 3 subinterfaces in Getting Started — Layer 3 Subinterfaces, but PAN-OS also enables you to create true Layer 2 interfaces that act the same way a switch would.
We'll start with a simple example where we have two Layer 2 interfaces in the same zone and the same VLAN. This scenario could be practical if, for example, you have both servers and clients on the same IP subnet and want to allow sessions to be formed, but need to control which applications are used, and/or need to provide threat prevention without changing the IP subnet.
On the switch, you could set each set of machines into a separate VLAN, for example, servers in VLAN 20 and clients in VLAN 30, and have the firewall serve as a bridge between these VLANS:
- First, you'll need to create a VLAN interface to be used by the physical interfaces we will set to Layer 2. Navigate to the Network tab, open Interfaces from the left pane and open the VLAN tab. There will already be one default VLAN interface present, which you can reuse if you like, but we'll create a new one by clicking the Add button.
You'll assign the interface an ID, add any relevant comment and assign the interface to the default Virtual Router and add it to the Trust zone. Note that the ID is simply an identification number for the interface and does not influence any 802.1Q tagging.
If you then try to assign a VLAN to the interface, you'll notice there aren't any available yet, so go ahead and click the new VLAN link to start creating a new VLAN object.
Simply give it a name and click OK for now.
The VLAN interface should look somewhat like this. Go ahead and click OK.
- From here, we're going to set interfaces ethernet1/2 Layer2 and set the proper VLAN configuration. Navigate to the Ethernet tab and open interface ethernet1/2's properties, then change the Interface Type to Layer2.
After setting the interface to Layer2, set the VLAN to the newly created VLAN object, but notice that the security zone does not show any option. This is because we have not yet created any Layer 2 Security Zones.
Any Security Zone configured on the firewall is also attached to a specific network type, like Layer 3, VWire, or Layer 2. In the VLAN configuration in Step 1, we added the VLAN.100 interface to the default router and Layer 3 Trust Security Zone. This is to allow traffic to pass from Layer 2 to Layer 3. We'll take a look at that after we've completed this phase of the Layer 2 introduction.
Click the new Zone link to create a new zone named L2-Trust:
- Repeat the above step for interface ethernet1/3.
- The last stage is to create an intrazone security policy to allow more granular control over applications connecting both segments and applying security profiles to these sessions. Open the Policies tab and navigate to Security on the left pane. Click Add to create a new security policy. From the Rule Type dropdown, select 'intrazone' as the Type.
Next, navigate to the Source tab, click Add, and set the source zone to L2-Trust.
Because this is an intrazone Security Policy, the destination zone selection has been made inaccessible and is dependent on the source configuration.
Set the applications to what is appropriate between the segments. These are solely the applications you want to allow between the internal hosts. This does not apply to any connections going to or coming from other networks.
Lastly, set security profiles so any sessions between your internal hosts are also inspected for vulnerabilities, exploits, viruses, and so on.
Your security policy should now look similar to this:
Rule1, as seen above, will be used in the next segment, Layer2 Routing.
This configuration will ensure your hosts all remain on the same IP subnet, but can be segregated depending on their role.
More interfaces can be added to provide even more segments or tagged subinterfaces can be added in a similar fashion as described in Getting Started: Layer 3 — Subinterfaces.
Layer 2 Routing
As the next step, you may want to enable internet access for the hosts in your network, so you will need to enable some Layer 3 functionality in the Layer2 config. You may have noticed some Layer 3-looking configuration in the VLAN configuration earlier, and this is where we will need to enable the functionality.
- Navigate back to the Network tab.
- Access Interfaces on the left pane.
- Open the VLAN tab.
- Edit the vlan.100 object.
- Navigate to the IPv4 tab.
- Click Add.
- Enter the IP address the hosts on your network will use as the default gateway, with its subnet mask.
The VLAN interface now functions as a Layer 3 interface towards the outside world. Any sessions originating from your internal hosts to the outside world will be handled by the firewall as coming from the Layer 3 Trust zone going to the Layer 3 Untrust zone.
Please be aware you may need some additional configuration to allow for outbound connections, including the default route in your virtual router, NAT configuration so the internal IP subnet is translated to the public IP address of the firewall and maybe a DHCP server to automatically assign IP addresses to workstations joining your network. Please take a look at Getting Started — Layer 3, NAT, and DHCP where we cover these configuration steps in more detail.
The NAT policy required to reach the internet:
The Virtual Router configuration:
For more details on Layer 2 interfaces, please take a look at the Tech note on Layer 2 Networking .