The Palo Alto Networks firewall does not currently have a direct option for shutting down a sub-interface, as it is logical in nature.
As a workaround, select "none" for the sub-interface zone or "none" for the virtual router, or both. This will effectively disable ingress/egress traffic on the sub-interface.
But doesn't this also mean that if you remove the VR connection, you will have to make sure that there are no static entries associated with it first? Same goes with the Security Zone.
From what I can tell, there should be an option to Disable the interface. Even on a cisco swtich, I have the option of shutting down the VLAN. I would think there would be an option here similar for that.
Well, that would be logical, but I searched the whole GUI and CLI, and found no option to disable a subinterface.
The above mentioned options are workarounds but in fact that's altering the configuration. A simple disable option would be desirable.
Dear @abruggeman and @dhill6,
I checked with a PAN-OS 7.1 device, and the option is not there.
I talked with an software person here at Palo Alto, and at this time there is no link state option in GUI or CLI.
The reason for this is that the sub-interface is not a separate interface. It’s a subset of the interface to which it is a sub, so the only way to toggle its status would be to toggle the whole interface. OR to perform what is described above.
Note there is no link state icon on the subinterface in the GUI:
If this is something that you would like to see enabled, please contact a Sales Engineer, and they can put in a "Feature Request". They also talk with our engineering department about new features, and any requests they may get from any customers.
As far as "turning off" the zone or virtual router, yes, always make sure that something is not going to break with the zone in a rule or routing issue when this is performed. I will make a notice in the article, Thanks.
I hope this helps.
This should be added with out a doubt for troubleshooting. If it seems logical, it should just be implemented.
If you reach out to your local sales team you can have your vote added to Feature request FR ID: 3658 to include this capability