Any way to cange the MAC Address on the Untrust interface in PanOS 4.1.2?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Any way to cange the MAC Address on the Untrust interface in PanOS 4.1.2?

L0 Member

Hello,  Im new to PaloAlto and am using PanOS 4.1.2 on a PA-500.

I was wondering if there is any way to change the MAC address on the WAN Interface so that my IP address stays the same.

Currently I have several systems in my home lab and if my MAC address changes, I will receive a new IP address which will cause me some issues.

I know that the advertised MAC address can be changed on other firewalls from other manufacturers, but I cannot find the way to change it in PanOS.

Any help in much appreciated.

11 REPLIES 11

L6 Presenter

According to the https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=PA-4.1_Admin... (unless Im blind or something 😉 PAN currently doesnt support changing the mac-address of the physical interfaces.

However it seems to be somewhat supported when enabling IPv6 for a particular interface (page 93 in the linked pdf). But the explanation in the manual can also be that the mac-address wont change when using IPv6, only how the last 64 bits of the IPv6 address will look like (if not set then EUI-64 method will be used).

I guess the recommendation would be if you contact your SE and file this as a feature request (unless someone else in here have a tip?).

L7 Applicator

The Short answer is No, there is no way that we support changing the MAC address like that.

The Longer answer is that it sounds like you do not want the MAC Address to change, because of NAT is changing it and then change it back so it has its original MAC address.

If this is true, then you might want to think about setting up 2 interfaces in Vwire mode (Bridge or Bump on a wire), so, not only will it not change the MAC addr, but it will not require IP's on those interfaces.

PLEASE NOTE if you want NAT it does not work well with Vwire mode. (even though 4.1.2 might list this as an added feature)

If you want this for NAT with a normal interface (non vwire), then the MAC address WILL change.

Kind Regards,

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

"

The Short answer is No, there is no way that we support changing the MAC address like that.

"

Not even if filed as feature request (which sounds really odd since most modern NIC's supports altering the phy-stuff etc)?

You are always welcome to contact your local SE and ask for a fetaure like that. As the SE's are the only ones right now that can put in the Feature Requests.

Have a great day!

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

I was more thinking of if there would be some kind of physical limitation (and therefor no need to take the time to write this as a feature request to your SE)?

For example if one want 100Gbit/s interfaces there is a physical limitation which gives that this isnt supported for current models (but perhaps in the future) which means that your feature request wont be fixable for current models but maybe for future models.

jdelio,

Ok, answer me this.  Why can I change the physical MAC address on almost any other firewall / router?  Even on a $30 Linksys router, I have the ability to change the MAC address of the External Interface.

Heres a snippet of the config from my old Juniper SRX Firewall where I WAS able to change the MAC when replacing the firewall for another for testing.

fe-0/0/7 {

enable;

mac b0:c6:9a:39:ba:00;

unit 0 {

family inet {

mtu 1500;

dhcp;

By doing this, I was able to maintain the same IP Address even though I changed the physical firewall because I was able to spoof the MAC address of the old router.

I mean this has been available on other router / firewall for many years.  Just does not make any sense that this would have to be a feature request on a much more powerful, feature rich next gen firewall.

I highly doubt this is a hardware limitation.

i will have my SE send in the feature request to see what can be done, if anything.

Retired Member
Not applicable

Not likely that this is hardware limitation as we can alter the MAC address as a virtual MAC when in HA A/P (this is preset as well and not configurable). The ability to change MAC address is not something that is currently available in PAN-OS. Also there are some firewalls/routers that I have worked with in the past that do not have the ability to change MAC address. So this is not just Palo Alto that does not have this feature.

Jdelio is correct. You should follow through with feature request through your local SE.

-Richard

Thanks all.  I will submit the request to my SE.

I deal with alot of customers that have many branches, sometimes in the hundreds.  Some of them having to have a DHCP internet conenction with the provider configuring a DHCP reservation so that the customer always receives the same IP address for VPN connectivity.

Having this as a feature I believe will be very helpful is some of these unique situations.

In my case, its not as big of a deal as is it only my lab at home affected and easily fixed.

Keep the rest of us updated on how this request progresses 🙂

Not applicable

I would like this feature as well, it would be nice to spoof a MAC address.... In case anyone is wondering why, my isp reserves the mac address on the provided router...

Not applicable

I know this thread is more then 2 years old, but we are now on version 6.0.1 and still no feature for changing the MAC address ?

I was looking for this feature as I also need to keep my external address because I have subscriptions like at spamhaus for certain feeds and they need to know my external ip-address.

And I don't want to notify them all every time my ip-address changes.

So when can we finally expect this feature ? In which build will it be included ?

  • 7164 Views
  • 11 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!