Go to the top

Palo Alto Firewall Deployment Modes

Ziaul / Network Security, PaloAlto /

Palo Alto firewall can operate in multiple deployments at once as the deployments occur at the interface level. Below is a list of the configuration options available for  interfaces:

  • Virtual Wire Deployments
  • Layer 2 Deployments
  • Layer 3 Deployments
  • Tap Mode Deployments

Virtual Wire Deployment

With virtual wire mode, a firewall is deployed transparently in a network segment by binding two firewall ports (interfaces) together. The virtual wire logically connects the two interfaces; hence, the virtual wire is internal to the firewall. A Virtual Wire interface supports App-ID, User-ID, Content-ID, NAT and decryption.

palo-alto-v-wire mode


Layer 2 Deployment

In a Layer 2 deployment, the firewall provides switching between two or more networks. Traffic traversing the firewall is checked as per policies, providing increased security and visibility within the internal network. In this mode the firewall interfaces are capable of supporting Access or Trunk Links (802.1Q trunking) and do not participate in the Spanning Tree topology. Any BPDUs received on the firewall interfaces are directly forwarded to the neighbouring Layer 2 switch without being processed.



Layer 3 Deployment

In a Layer 3 deployment  the firewall routes traffic between multiple interfaces, each of which is configured with an IP address and security zone. The Firewall interfaces can also be configured to obtain their IP address via a DHCP server and can be used to manage the security appliance.



Tap Mode Deployment

TAP Mode deployment allows passive monitoring of the traffic flow across a network by using the SPAN feature (also known as mirroring). Tap mode offers visibility of application, user and content, however,  the firewall is unable to control the traffic as no security rules can be applied in this mode.





Leave a Comment