Layer 2 Interface

The firewall provides switching between two or more networks. The firewall forwards the frames to the proper port, associated with the MAC address that is identified in the frame, when devices are connected to a Layer 2 segment. We need to configure a Layer 2 interface, only when switching is required.

Layer 3 Interface

The firewall routes traffic between multiple ports using TCP/IP addressing. Virtual routers configuration is mandatory, as it is used by the firewall to route the traffic for each Layer 3 interface.

Layer 3 deployments is the most widely used, require more network configuration compared to other firewall interfaces. Palo Alto Networks supports both IPv4 and IPv6 simultaneously using dual stack implementation.

Each Layer 3 interface should have an IPv4 and/or an IPv6 address, zone name, and the attached virtual router that routes the traffic on the interface. Options that are available to meet other connectivity requirements including NetFlow integration, MTU adjustment, Binding of firewall services, Neighbor discovery for IPv6, Manual MAC address assignment, Dynamic DNS support etc.

Virtual Wire Interface

We can install a firewall transparently on a network segment by binding two firewall ports (interfaces) together. The virtual wire is internal to the firewall, as it connects the two interfaces logically.

In a virtual wire deployment, the two connected interfaces on the firewall do not need to perform any switching or routing and the firewall can be integrated into an existing topology. The firewall is considered a bump in the wire for these two interfaces.

A virtual wire deployment simplifies firewall installation and configuration, as the firewall may be placed into an existing network without assigning MAC or IP addresses to the interfaces, redesigning the network, or reconfiguring surrounding network devices. The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags. It also supports Security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection, DoS protection, NAT etc.

Virtual wire interface is always connected to a Layer 2 or Layer 3 networking device. The virtual wire interfaces do not have any Layer 2 or Layer 3 addresses. When a virtual wire interface receives a frame or packet, it ignores any Layer 2 or Layer 3 addresses for switching or routing purposes; however, it applies Security or NAT policy rules before an allowed frame or packet is passed over the virtual wire to the second interface and on to the connected network devices. 

All firewalls that are shipped from the factory have two Ethernet ports (port 1 and port 2) preconfigured as virtual wire interfaces, and these interfaces allow all untagged traffic.

VLAN Interface

Virtual wire deployments use virtual wire subinterfaces to separate traffic into network zones. When you have to manage traffic from multiple-customer networks, virtual wire subinterfaces allow you to have more flexibility to enforce distinct policies. Use subinterfaces to classify traffic into different network zones using VLAN tags or with VLAN tags in conjunction with IP classifiers.

Tap Interface deployment

A network tap is a device that provides a way to access data that is flowing across a computer network. We can passively monitor traffic flows across a network using a switch SPAN or mirror port in TAP mode deployment.

A switch SPAN (mirror port) permits the copying of traffic from ports on the switch to the tap interface of the firewall, providing a one-way flow of traffic into the firewall. Using this configuration the firewall can detect traffic and threats but prevents any enforcement action, as the traffic does not flow back to the environment. 

We can have visibility into the applications, which are running on the network without having to make any changes to the network design in TAP mode deployment. Threats inside the network can also be detected, when the firewall is in TAP mode.