week 2 Flashcards
(32 cards)
Why use network segmentation?
To reduce the attack surface and control traffic between parts of the network.
What should you understand before segmenting your network?
Business/organizational drivers
Who needs access to what
What principle should guide access control?
Least privilege — only give users the minimum access they need.
What are security zones?
Groups of devices/users with similar security needs.
How are interfaces and zones related?
Each interface is assigned to one zone
A zone can include multiple interfaces (physical or logical)
What are examples of firewall hardware setups?
Single-slot firewall
Multi-slot firewall
Logical interfaces
Match zone types with supported interface types:
Layer 2 Zone → Layer 2 interfaces
Layer 3 Zone → Layer 3, VLAN, Loopback, Tunnel interfaces
Tunnel Zone → No interfaces assigned
Virtual Wire Zone → Virtual wire interfaces
What is Virtual Wire mode? (ethernet interfaces)
Binds two interfaces like a cable
No switching/routing needed
No IP address required
Supports App-ID, Content-ID, User-ID, SSL decryption, and NAT
What are the benefits of Virtual Wire interface?
Transparent deployment
No changes to existing devices
Enables traffic inspection and control
What is a Layer 3 Interface Deployment?
All Virtual Wire features plus:
Routing protocols
VPN
Virtual routers
What is a Layer 2 Interface?
Acts like a switch
Forwards traffic based on MAC addresses
Connects devices in the same Layer 2 segment
What does a Virtual Wire Object do?
It connects two firewall interfaces to create a transparent link for traffic inspection without routing or switching.
What can a Virtual Wire inspect?
It can accept and inspect traffic based on 802.1Q VLAN tags.
What does VLAN tag 0 represent?
Untagged traffic (no VLAN ID assigned).
how to Configure a Virtual Wire Interface?
Network > Interfaces > Ethernet > <select_interface></select_interface>
What do Layer 3 interfaces enable?
Routing between multiple interfaces on the firewall.
What is required for Layer 3 interface routing?
A virtual router configuration on the firewall.
What might Layer 3 deployment require in your network?
Changes to the IP address configuration of connected devices or subnets.
does layer 3 interface support IPv4 and IPv6?
Yes. But to support IPv6 you must enable IPv6 on the firewall
Device > Setup > Session > Session Settings
how to Configure a Layer 3 Interface?
Network > Interfaces > Ethernet > <select_interface>
Select Layer 3 interface
Select virtual router
Select security type</select_interface>
how to configure layer 3 IPv4?
select DHCP assigned to IP address
enter static IP address
What is an Interface Management Profile?
It defines which management services (like HTTPS, SSH, ping) are accessible from a traffic interface.
Where do you create an Interface Management Profile in Palo Alto?
Network > Network Profiles > Interface Mgmt > Add
What do Layer 3 subinterfaces use to process traffic?
VLAN tags (1–4094)
VLAN + IP classifiers
IP classifiers only (for untagged traffic)
