It is crucial to set up network interfaces that can filter outbound and inbound traffic when configuring firewalls. A network interface is an interface between a device (or device) and a private network or public network.
The network interface can either be physical or logical. However, the physical interface can be a card (NIC), which sends and receives traffic at different rates. A logical interface is a virtual network interface (VLAN), tunnel interface, or loopback interface that is set up after the physical interface.
This post will discuss nine network interfaces, which are covered in Section 3.0 of PCNSE Blueprint. These interfaces can also be configured on Palo Alto Firewall, which will allow network security engineers to protect their networks.
Types of interfaces
Palo Alto Networks firewalls can support nine network interface types, including Layer 2, Layer 3, Virtual Wire, TAP, vWire Sub-interface, tunnel and aggregate loopback and decrypt mirror interfaces. The configuration of these interfaces depends on the infrastructure’s functional requirements. We will briefly discuss the functionality of each interface.
Layer 2 Interface
Palo Alto firewalls are able to switch between multiple networks via VLAN within a single broadcast domain. The devices are connected to a Layer 2 segment, and frames are forwarded using the MAC address in the frame to the correct port. When switching is necessary in the network, a Layer 2 interface can be configured.
Layer 2 interfaces can also be configured as follows:
VLANs are not possible if hosts are too close to one another.
VLAN allows you to keep traffic and policies separate for different departments, and to divide a layer 2 segment in different broadcast domains
Manage Per-VLAN Spanning tree where firewall rewrites inbound Port VLAN IDs in Cisco per-VLAN span trees and allows Palo Alto firewalls to correctly tag Cisco PVST+ frames within VLANs
Layer 3 Interface
Palo Alto routes traffic between multiple ports using IP addresses. Before configuring a Layer 3 interface, a virtual router must first be set up with a Palo Alto firewall.
Layer 3 interface requires more configurations and network planning than other interfaces to the firewall. It is configured with IPv4/IPv6 zone name and the attached virtual router. The Palo Alto firewall will examine traffic and use the following connectivity requirements to manage it:
Integration of NetFlow
MTU and MSS adjustment
Assignment of manual MAC addresses
Neighbor Discovery for IPv6 settings and link negotiation
LLDP support and dynamic DNS
Two interfaces can be connected to a virtual wire, or vWire. They are bound together transparently by a network segment. This is called a bump in the wire. It supports many features, such as QoS and zone protection, security rules, active/passive HA and DoS protection, and allows or blocks traffic based upon VLAN tags.
It makes it easy to install and configure the firewall into an existing network topology. Each vWire interface can be connected directly to Layer 2 or Layer 3 interfaces. It receives frames and packets with no network addresses.
A network tap allows you to access data flowing across a computer network. It also allows network security engineers and network administrators to monitor traffic using a switch SPAN (or mirror port). Mirror port allows for the copying of one way traffic from ports to the TAP interface, which can be used to analyze any threat to the network.
It allows Palo Alto firewalls to detect network threats and take preventative measures against them. The firewall detects threats when deployed in TAP mode. However, traffic is not affected by the threat detection.