How to make unused ports of Palo Alto Networks firewall into a switch
19160
Created On 09/03/20 23:43 PM - Last Modified 09/10/20 18:37 PM
Objective
- Many small businesses or larger businesses with remote offices may wish to minimize the number of devices that they need to administer at these locations.
- Due to this, customers may want to utilize unused ports of their PANW NGFW as switch ports thereby removing the need for a separate physical switch.
- This may also apply to PANW SE’s and their home networks.
NOTE:
We will also enable the DHCP server on the firewall further centralizing the network components directly on the firewall. This also makes it much easier to identify specific devices from the firewall.
Environment
Any PANW Firewall
Procedure
Prerequisites:
- Activate firewall and subscriptions
- For this document we have replaced the Day 1 Configuration (Optional step in the link above) with the Home Skillet configuration that creates a simple 2-zone network intended for home use. The Iron Skillet (Day 1 Configuration) is also a valid starting place as neither of these templates address the Layer-2 configuration steps we will be configuring here.
Please note that IronSkillets do not contain any network/zone configurations, however HomeSkillet (built on top of IronSkillet) does. HomeSkillet includes a hybrid L2/L3 option. Also note this article is related to PAN-OS 9.1 and the HomeSkillet includes configurations for both 10.0 and 9.1.
- Dynamic Updates are downloaded and applied
- The attached configuration template assumes the firewall is a PA-220 running PAN-OS 9.1.x. Step by step instructions will be included that will work for other firewall models and OS levels. To upgrade follow these steps:
- The WiFi router for the network is configured in Layer-2 mode with DHCP server disabled. The firewall will be the new DHCP server:
- Connect devices in a daisy chain in this order:
- Service Provider Device (cable modem) > PANW Firewall > WiFi Router
- Connect devices in a daisy chain in this order:
Configuration Steps Using the easy button (greenfield deployments only):
- Use HomeSkillet
- HomeSkillet is easier to use if you first load PanHandler
Manual Configuration Steps:
- Login to the firewall. If this is the first time to login to this device follow the directions here:
- Create a new Layer-2 security zone: Network > Zones > Add
- Name: Internal-L2
- Type: layer
From Network > Interfaces, change ports ethernet1/2 through ethernet 1/8 to be Layer 2 and assign all of them to the new L2 zone created above:
- Create a new vlan interface: Network > Interfaces > VLAN > Add
In the example we have named the interface “vlan” and we are using the internal (trust) Layer-3 security zone called “internal”.
Click “IPv4” and assign your network default gateway. In this example we are using 10.0.10.254/24:
Click Advanced tab and assign management profile. Required so you can login to this interface in the future.
- Create VLANs: Network > VLANs > Add. Include interfaces 2-8.
- Create DHCP Server
- Network > DHCP > DHCP Server > Add
- Assign to interface “vlan” created earlier
- “Add” IP Pool that works within your network
- Static assignments can be added by mapping IP addresses to MAC addresses on this same page.
- Click “Options” and add appropriate options for Gateway, Subnet Mask, DNS and NTP servers. The “inherited” option will pull that option from the inheritance source listed at the top of the page. In this case ethernet1/1 is facing the cable modem/ISP and will inherit the settings that are assigned by the ISP. Optionally change these to your preferred settings.
- Click Commit