.. howto | Ian Loe - Blog

Configuring a PA-220 for small network - Part 2

Part 2: Configuring your Network Zones

Now that you have setup the PA-220 for use, it is time to define and create the zones and interfaces.

Remember to change your IP to the right subnet you used to configure the MGT interface.

Creating Zones

After you logged in, go to Network -> Zones

Click on the “Add” button at the bottom of the page.


Here you would need to create 4 Zones.

  • Untrust-L3, Type: Layer 3
  • Trust-L3, Type: Layer 3
  • Trust-L2, Type Layer 2
  • DMZ-L3, Type L3
  • VPN, Type: Layer (If you intend to set up Global Protect VPN with own zone later)


After adding the zone, you should see these 2 columns like this:


At this point, you can connect the ethernet cable from the GPON to port 1 (ethernet 1/1) on your PA-220.

Configure Interfaces

Now go to Network -> Interfaces -> Ethernet, and click on “ethernet1/1” to configure it.


You will see this screen and you will need to set the Interface type to “Layer 3”, Virtual Router to “default” and Zone to “Untrust-L3”


Next click on IPv4 and set the Type to “DHCP Client”, unless your ISP requires a manual configuration for static IP)


Click OK to continue.

Create a VLAN

Next go to Network -> VLANs and click on “Add” at bottom of screen


Create a VLAN, you can call it “Vlan Object” and add all the interfaces you want to this VLAN. In my case I added all except ethernet1/5 that I used for the DMZ.


Next go back to Network -> Interfaces -> Ethernet to edit the settings for ethernet1/2, and so on.


Set the following for ethernet1/2 to 1/8

  • • Interface Type: Layer2
  • • Netflow Profile: None
  • • VLAN: VLAN Object
  • • Security Zone: Trust-L2


Next go to Network -> Interfaces -> VLAN to edit the settings:


Under the config tab, set the following:

  • • VLAN: VLAN Object
  • • Virtual Router: default
  • • Security Zone: Trust-L3


Under the IPv4 tab, enter the gateway IP you defined earlier (in Part 1)


Click OK to continue.

Setting DHCP Server

Go to Network -> DHCP -> DHCP Server


Click on "add" at bottom of page.


Add the IP range from to and set to enabled.

Click "OK" to continue.

Define a Security Policy

Next go to Policies -> Security


Click on “add” to create a new policy:


Next go to the tab “Source” and add the zone “Trust-L3”


On the “Destination” tab add the zone “Untrust-L3”


Next go to the “Actions” tab and make sure action is set to “allow”


Click on OK to continue.

Configure NAT

Next go to Policies -> NAT and click on "Add"


Create a NAT Policy Rile called “Internet Outgoing”


On the Original Packet tab, add the source zone “Trust-L3”


On the “Translated Packet” Tab, set the following:

• Translation Type: Dynamic IP And Port
• Address Type: Interface Address
• Interface: ethernet1/1


With this you should be able to connect a PC to any port from ethernet1/2 to ethernet1/8 on your LAN and out to the Internet on ethernet1/1


Ian's Blog