VLAN Interfaces on Palo Alto Firewalls

VLAN interfaces on Palo Alto Networks firewalls are utilized to segment network traffic logically. They allow for:

Traffic Segregation : Isolating different types of traffic for security and organizational purposes.
Inter-VLAN Routing : Facilitating communication between VLANs through Layer 3 routing.
Enhanced Security : Applying specific security policies to distinct VLANs.

Configuration Steps (VLAN Interface / SVI)

Configure Layer 2 Ethernet Interfaces :
- Navigate to Network > Interfaces > Ethernet .
- Select the desired physical interface (e.g., ethernet1/1 ).
- Set the Interface Type to Layer2 .
- Assign the interface to a Security Zone (this zone applies to traffic *on* this specific port if untagged, but the main policy will use the VLAN interface's zone).
Create VLAN Objects :
- Go to Network > VLANs .
- Click Add to create a new VLAN object.
- Provide a Name for the VLAN (e.g., VLAN10-Users).
- Assign the previously configured Layer 2 physical interface(s) that will carry this VLAN to this VLAN object.
Configure VLAN Interfaces (Logical Layer 3) :
- Navigate to Network > Interfaces > VLAN .
- Click Add to create a new logical VLAN interface.
- The interface name is automatic (e.g., vlan). Assign it to the VLAN object created earlier (e.g., VLAN10-Users). Note: Unlike subinterfaces, the VLAN ID itself isn't part of the interface name here but is associated via the VLAN Object.
- Set the Interface Type to Layer3 (this makes it an SVI - Switched Virtual Interface).
- Assign an IP Address and netmask to the interface (e.g., 192.168.10.1/24 ). This becomes the gateway for devices in VLAN 10.
- Associate it with a Virtual Router and a dedicated Security Zone (e.g., Zone-VLAN10). Policies will use this zone.
Commit the Configuration :
- After completing the above steps, click Commit to apply the changes.