Configure VLAN on Palo Alto Firewall

In this article, I will show you how to configure VLAN on Palo Alto Firewall and setup it connect to the Internet. Its management IP is 192.168.1.100.

We will create 2 vlans: 20 and 30.

Go to "Network" > "Zones" > click "Add"

Enter the following information:

• Name : LAN

• Log Setting : None

• Type : Layer3

VLAN configuration on Palo Alto Firewall

Go to "Network" > "Interfaces" > click on "ethernet1/2" and enter the information as below:

• Interface Name : ethernet1/2

• Interface Type : Layer3

• Security Zone : LAN

Select "ethernet1/2", Click "Add Subinterface" button and enter the information as below:

• Interface Name : ethernet1/2.20
  

• Tag : 20

• Security Zone : LAN
  

In the tab "IPv4", click "Add" button to add an IP address : 192.168.20.1/24.

In the tab "Advanced", Management Profile : ping-response-pages.

Click "Add Subinterface" button to add another subinterface, enter the information as below:

• Interface Name : ethernet1/2.30
  

• Tag : 30

• Security Zone : LAN

In the tab "IPv4", click "Add" button to add an IP address : 192.168.30.1/24.

In the tab "Advanced", Management Profile : ping-response-pages.

Create Virtual Router on Palo Alto Firewall

Go to "Network" > "Virtual Router" > Click "Add", and enter the information as below:

In the tab "Static Routes", enter the information as below:

• Name : default-route
  

• Destination : 0.0.0.0/0
  

• Interface : ethernet1/1
  

• Next Hop : IP Address

• IP Gateway : 10.11.32.140

DHCP configure on Palo Alto Firewall

Go to "Network" > "DHCP" > Click "Add", and enter the information as below:

• Interface : ethernet1/2.20

• Mode : enabled

• IP Pools : 192.168.20.2-192.168.20.254

• Gateway : 192.168.20.1

• Subnet Mask : 255.255.255.0

• Primary DNS : 8.8.8.8

• Secondary DNS : 8.8.4.4

Create NAT Policy on Palo Alto Firewall

Go to "Policies" > "NAT" > Click "Add" and enter the information as below:

• Name : VLAN20-to-WAN

• Source Zone : LAN

• Destination Zone : WAN
  

• Destination Interface : ethernet1/1

• Service : any
  

• Source Address : 192.168.20.0/24
  

• Translation Type : Dynamic IP And Port

• Address Type : Interface Address
  

• Interface : ethernet1/1

• IP Address : 10.11.32.72/24
  

Create Security Policy Rules

Go to "Policies" > "Security" > Click "Add", and enter the information as below:

• Name : VLAN20-to-Internet

• Source Zone : LAN

• Source Address : 192.168.20.0/24

• Destination Zone : WAN

• Service/URL Category : any
  

• Action : Allow
  

Commit All Changes, then, the configuration steps are done.

Facebook: https://www.facebook.com/routerbest

Twitter: https://twitter.com/routerbestcom

Tags： 192.168.1.100 Firewall Palo Alto