Shutting down/disabling subinterfaces

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
scourge
Not applicable

Shutting down/disabling subinterfaces

I am very new to the PANOS world so I will apologize in advance if this is obvious, however my search of documentation and knowledebase did not yield anything. I have been looking for a way to administratively shut down sub interfaces. Is this possible? While it's easy enough to shutdown a physical interface by assigning it's link-state we're not seeing a way to do the same for an individual sub-interface.

kprakash
L5 Sessionator

Hi Scourge,

We do not have an option of shutting down a sub interface as its logical in nature. We could however, select "none" zone for the sub-interface or "none" virtual router or both, if you do not want traffic to ingress/egress via this sub interface.

Hope this helps

BR,

Karthik

panos
L6 Presenter

Hi,

Subinterfaces are logical interfaces and they do not have link state as I  know.

Why do you need that option ?

scourge
Not applicable

It's a very useful feature when you are replacing existing equipment for example. The ability to disable a subinteterface would allow you to assign and commit an ip address that would potentially conflict with an existing piece of equipment. When you're ready to cut over you can just disable the interfaces on the old equipment and enable them on the PA firewall. This is why there's a concept of administrative shutdown in the cisco world for example.

kprakash
L5 Sessionator

You have a valid point, but we do not have that feature as of today on the box. You can contact your Sales Engineer for this enhancement request and he can apply one for you on your behalf. Till then you have to work around it with the steps that I mentioned before.

BR,

Karthik

scourge
Not applicable

Thanks. I appreciate your feedback!

Shaun_Louw
L1 Bithead

Has there been any advance on this?

Last message was 2013.

Moreover if I use the work around and set my subinterface into Zone = None, change the VR:

Will the interface still respond to packets?

E.g. ARP, ping etc?

I am replacing old FW with new Palo and I need to be sure even with above measures taken that there will be no effect of duplicating the existing live interface

Thanks for any reply

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!