Palo Alto firewall can operate in multiple deployments at once as the deployments occur at the interface level. Below is a list of the configuration options available for interfaces:
- Virtual Wire Deployments
- Layer 2 Deployments
- Layer 3 Deployments
- Tap Mode Deployments
Virtual Wire Deployment
With virtual wire mode, a firewall is deployed transparently in a network segment by binding two firewall ports (interfaces) together. The virtual wire logically connects the two interfaces; hence, the virtual wire is internal to the firewall. A Virtual Wire interface supports App-ID, User-ID, Content-ID, NAT and decryption.
Layer 2 Deployment
In a Layer 2 deployment, the firewall provides switching between two or more networks. Traffic traversing the firewall is checked as per policies, providing increased security and visibility within the internal network. In this mode the firewall interfaces are capable of supporting Access or Trunk Links (802.1Q trunking) and do not participate in the Spanning Tree topology. Any BPDUs received on the firewall interfaces are directly forwarded to the neighbouring Layer 2 switch without being processed.
Layer 3 Deployment
In a Layer 3 deployment the firewall routes traffic between multiple interfaces, each of which is configured with an IP address and security zone. The Firewall interfaces can also be configured to obtain their IP address via a DHCP server and can be used to manage the security appliance.
Tap Mode Deployment
TAP Mode deployment allows passive monitoring of the traffic flow across a network by using the SPAN feature (also known as mirroring). Tap mode offers visibility of application, user and content, however, the firewall is unable to control the traffic as no security rules can be applied in this mode.