What are the different deployment modes in Palo Alto firewalls?

Palo Alto Networks firewalls support multiple deployment modes, allowing them to fit into a wide range of network topologies without needing to redesign your infrastructure. Each mode determines how the firewall interfaces handle traffic, and what kind of visibility, control, and security services can be applied.

There are  four primary deployment modes:

1. Layer 2 Mode (Transparent Switching)
2. Layer 3 Mode (Routing)
3. Virtual Wire Mode (Transparent Inline)
4. Tap Mode (Passive Monitoring)

1. Layer 2 Mode (Transparent Switching)

🔹 Description:

• The firewall acts like a switch or bridge.

• Interfaces are assigned to a VLAN, and traffic is forwarded based on MAC addresses.

🔹 Use Cases:

• When you want the firewall to inspect traffic within the same subnet (east-west traffic).

• Adding security between devices on the same VLAN without changing IP addressing.

🔹 Key Points:

• No routing — just switching/bridging.

• Still allows App-ID, Content-ID, User-ID, etc.

• Interfaces are part of a Layer 2 zone.

🔹 Example:

• Filtering traffic between hosts in the same VLAN (e.g., between user PCs and printers).

2. Layer 3 Mode (Routing)

🔹 Description:

• The most common deployment mode.

• The firewall routes traffic between different subnets.

• Each interface has its own IP address, and participates in routing.

🔹 Use Cases:

• When the firewall is your gateway/router between networks (e.g., internal to DMZ, or LAN to WAN).

• Full control of traffic with routing protocols, NAT, and security policies.

🔹 Key Points:

• Supports static and dynamic routing (OSPF, BGP, RIP).

• Most flexible and powerful deployment.

• Interfaces are part of a Layer 3 zone.

🔹 Example:

• Firewall sits between your LAN and Internet, performing routing, NAT, and inspection.

3. Virtual Wire Mode (Transparent Inline)

🔹 Description:

• The firewall is deployed transparently between two network devices (like a bump-in-the-wire).

• No IP addressing or MAC changes — traffic is just passed through.

🔹 Use Cases:

• When you need inline inspection without changing the existing network topology.

• Ideal for stealth deployment — often used in data centers or testing environments.

🔹 Key Points:

• Interfaces are paired as virtual wires.

• No need to configure IP addresses on the firewall interfaces.

• Still supports App-ID, Threat Prevention, etc.

• Interfaces are part of a Virtual Wire zone.

🔹 Example:

• Inserted between a router and a switch to monitor and control traffic without disrupting the network.

4. Tap Mode (Passive Monitoring)

🔹 Description:

• The firewall receives a copy of network traffic (via SPAN/mirror port).

• It is not inline, so it can't block traffic — only monitor and analyze it.

🔹 Use Cases:

• For passive threat detection, visibility, or evaluation before moving inline.

• Useful in audit or test environments.

🔹 Key Points:

• No traffic control (no NAT, no policy enforcement).

• Great for logging, visibility, and learning network behavior.

• Interfaces are part of a Tap zone.

🔹 Example:

• Connect the firewall to a mirrored port on a switch to monitor web traffic for malware.