How to make unused ports of Palo Alto Networks firewall into a switch

• Many small businesses or larger businesses with remote offices may wish to minimize the number of devices that they need to administer at these locations.
• Due to this, customers may want to utilize unused ports of their PANW NGFW as switch ports thereby removing the need for a separate physical switch.
• This may also apply to PANW SE’s and their home networks.

1. Activate firewall and subscriptions
   • PAN-OS Administrator’s Guide: Register the Firewall
2. For this document we have replaced the Day 1 Configuration (Optional step in the link above) with the Home Skillet configuration that creates a simple 2-zone network intended for home use. The Iron Skillet (Day 1 Configuration) is also a valid starting place as neither of these templates address the Layer-2 configuration steps we will be configuring here.

• https://github.com/PaloAltoNetworks/HomeSkillet

1. Dynamic Updates are downloaded and applied
   • PAN-OS Administrator’s Guide: Install Content Updates
2. The attached configuration template assumes the firewall is a PA-220 running PAN-OS 9.1.x. Step by step instructions will be included that will work for other firewall models and OS levels. To upgrade follow these steps:
   • PAN-OS New Features Guide: Determine the Upgrade Path to PAN-OS 9.1
3. The WiFi router for the network is configured in Layer-2 mode with DHCP server disabled. The firewall will be the new DHCP server:
   1. Connect devices in a daisy chain in this order:
      1. Service Provider Device (cable modem) > PANW Firewall > WiFi Router

1. Use HomeSkillet
   • HomeSkillet Internet Gateway
2. HomeSkillet is easier to use if you first load PanHandler
   • Install And Get Started With Panhandler

1. Login to the firewall. If this is the first time to login to this device follow the directions here:
   • PAN-OS Administrator’s Guide: Perform Initial Configuration
2. Create a new Layer-2 security zone: Network > Zones > Add
   1. Name: Internal-L2
   2.  Type: layer 

From Network > Interfaces, change ports ethernet1/2 through ethernet 1/8 to be Layer 2 and assign all of them to the new L2 zone created above:

3. Create a new vlan interface: Network > Interfaces > VLAN > Add

In the example we have named the interface “vlan” and we are using the internal (trust) Layer-3 security zone called “internal”.

Click “IPv4” and assign your network default gateway. In this example we are using 10.0.10.254/24:



Click Advanced tab and assign management profile. Required so you can login to this interface in the future.

4. Create VLANs: Network > VLANs > Add. Include interfaces 2-8.

5. Create DHCP Server
   1. Network > DHCP > DHCP Server > Add
   2. Assign to interface “vlan” created earlier
   3. “Add” IP Pool that works within your network

4. Static assignments can be added by mapping IP addresses to MAC addresses on this same page.
5. Click “Options” and add appropriate options for Gateway, Subnet Mask, DNS and NTP servers. The “inherited” option will pull that option from the inheritance source listed at the top of the page. In this case ethernet1/1 is facing the cable modem/ISP and will inherit the settings that are assigned by the ISP. Optionally change these to your preferred settings.

6. Click Commit