topic Re: Shutting down/disabling subinterfaces in General Topics

Shutting down/disabling subinterfaces

scourge — Fri, 26 Jul 2013 15:02:28 GMT

I am very new to the PANOS world so I will apologize in advance if this is obvious, however my search of documentation and knowledebase did not yield anything. I have been looking for a way to administratively shut down sub interfaces. Is this possible? While it's easy enough to shutdown a physical interface by assigning it's link-state we're not seeing a way to do the same for an individual sub-interface.

Re: Shutting down/disabling subinterfaces

kprakash — Fri, 26 Jul 2013 15:15:06 GMT

Hi Scourge,

We do not have an option of shutting down a sub interface as its logical in nature. We could however, select "none" zone for the sub-interface or "none" virtual router or both, if you do not want traffic to ingress/egress via this sub interface.

Hope this helps

BR,

Karthik

Re: Shutting down/disabling subinterfaces

Retired Member — Fri, 26 Jul 2013 15:18:41 GMT

Hi,

Subinterfaces are logical interfaces and they do not have link state as I know.

Why do you need that option ?

Re: Shutting down/disabling subinterfaces

scourge — Fri, 26 Jul 2013 15:29:01 GMT

It's a very useful feature when you are replacing existing equipment for example. The ability to disable a subinteterface would allow you to assign and commit an ip address that would potentially conflict with an existing piece of equipment. When you're ready to cut over you can just disable the interfaces on the old equipment and enable them on the PA firewall. This is why there's a concept of administrative shutdown in the cisco world for example.

Re: Shutting down/disabling subinterfaces

kprakash — Fri, 26 Jul 2013 16:22:14 GMT

You have a valid point, but we do not have that feature as of today on the box. You can contact your Sales Engineer for this enhancement request and he can apply one for you on your behalf. Till then you have to work around it with the steps that I mentioned before.

BR,

Karthik

Re: Shutting down/disabling subinterfaces

scourge — Fri, 26 Jul 2013 18:39:22 GMT

Thanks. I appreciate your feedback!

Re: Shutting down/disabling subinterfaces

Shaun_Louw — Thu, 18 Mar 2021 06:55:32 GMT

Has there been any advance on this?

Last message was 2013.

Moreover if I use the work around and set my subinterface into Zone = None, change the VR:

Will the interface still respond to packets?

E.g. ARP, ping etc?

I am replacing old FW with new Palo and I need to be sure even with above measures taken that there will be no effect of duplicating the existing live interface

Thanks for any reply

Re: Shutting down/disabling subinterfaces

majidx94 — Thu, 04 Nov 2021 11:07:49 GMT

I'm facing the same situation right now. I want to replace the old FWs with the new Palo Alto FWs. So, I need to disable an exiting sub-interface on the old FWs and enable it on the new FWs. Select "none" for the sub-interface zone or "none" for the virtual router, or both it will take time for me. So, shutdown sub interfaces would make it easy.

Re: Shutting down/disabling subinterfaces

justamoment — Thu, 04 Nov 2021 17:15:47 GMT

Same here - I was going to hot-cut a 3-tier infrastructure into one cluster but I just got told yesterday I need to do it one tier at a time. I guess the zone workaround is about the same amount of but I don't feel comfortable with the zone option. I guess I'm old school, lol.

Edit: What about duplicate IP addresses? Does the zone workaround completely take it out of routing & ARP'ing? Since I'm moving multiple VLANs' gateways from one firewall to another there's the potential for IP address conflicts.

Re: Shutting down/disabling subinterfaces

justamoment — Sun, 28 Nov 2021 02:21:32 GMT

FYI, I mentioned this to a support engineer and he said just remove the IP address and leave the zone & VR alone.

Re: Shutting down/disabling subinterfaces

andrasim — Mon, 25 Jul 2022 12:03:59 GMT

I have found the only simple option to remove the VLAN assignment from the trunk on the switch side.

Re: Shutting down/disabling subinterfaces

Kobiher — Thu, 07 Sep 2023 16:25:09 GMT

Neither solutions work for me on Panorama 10.2.4-h4 & PA-460 with Pan-OS 10.2.3 -0 the FW doesn't accept the sub0interface without IP, VR or Zone...

we told the customer to @kprakash 's idea - waiting on results

Re: Shutting down/disabling subinterfaces

N.Gurjar — Wed, 22 Jan 2025 03:20:27 GMT

Other vendors like Cisco has. Moreover, rename the zone to none will lead to validation errors if there are policies referring to that zone where you want to shut down the sub-interface

Re: Shutting down/disabling subinterfaces

justamoment — Wed, 22 Jan 2025 09:45:37 GMT

@N.Gurjar Please see my reply above. It's what I ended up doing and it worked just fine. With that said, I 100% agree that there should just be a "shutdown" command like Cisco. However, at least one person reported that it didn't work. When I did it,I want to say I was either on 8.1 or 9.1.

Re: Shutting down/disabling subinterfaces

TomYoung — Wed, 22 Jan 2025 16:44:54 GMT

I have always wanted this feature. If everyone on this thread contacts their PANW SE and requests this feature, then we should get a feature request ID created.

Re: Shutting down/disabling subinterfaces

K.Saucier — Fri, 06 Jun 2025 13:42:31 GMT

Good luck. I'm moving from Fortinet to Palo Alto (by someone else's direction) and the UI is like taking a 15 year step backward. I'm amazed at how many little things I've gotten used to in Fortinet that don't exist in Palo. I go off and search to see if I'm missing something and, like this thread, I find an ancient thread indicating that Palo just 'doesn't do that'. And there's always the 'submit a request' line, as if that gets anywhere. It's as if Palo's interface was designed by someone who has never managed a firewall before and architectural decisions were designed by someone who's never managed a network before. Beyond frustrating.....