There are four deployment MODELS to choose from:

• Tap mode deployment option
• Virtual  (V-Wire) Deployment option
• Layer 2 deployment option
• Layer 3 deployment option

1. Tap mode deployment option:

With the use of a tap or switch SPAN/mirror port, users can observe any form of traffic flow throughout the networking system. This deployment option has the advantage of allowing enterprises to closely monitor traffic to their servers or networks without requiring any network infrastructure upgrades.

It's critical to configure the CORRECT SPAN source and SPAN destination ports, as well as enable Tap mode on the Firewall while configuring SPAN. Although tap mode provides visibility of the application, user, and content, we must keep in mind that the firewall is unable to manage traffic in this mode because no security rules can be enforced. Tap mode just ADDS visibility to the dashboard's ACC tab. The catch is that the tap interface needs to be allocated to a security zone.

2. Virtual  (V-Wire) Deployment option:

The firewall system is installed passively on any network segment USING this deployment model, which combines two interfaces. Engineers can monitor and control traffic across the link with V-Wire deployment choices, which overcomes the restrictions of TAP mode deployment. App-ID, User-ID, Content-ID, NAT, and decryption are all supported via the Virtual Wire interface.

3. Layer 2 deployment option:

Multiple networking interfaces will be configured into a "virtual-switch" or VLAN mode in Layer 2 mode. The firewall is set in Layer 2 deployment mode to switch between two or more network segments. Traffic passing via the firewall is analyzed according to policies, enhancing security and visibility within the internal network.

The firewall interfaces can support Access or Trunk Links (802.1Q trunking) in this mode, but they are not part of the Spanning Tree topology. Any BPDUs received on the firewall interfaces are routed without being processed to the adjoining Layer 2 switch. A default Gateway, which is commonly a Layer 3 switch that supports InterVLAN routing, a Firewall security APPLIANCE, or even a Router-on-a-Stick design, can route traffic across VLAN networks or other networks.

4. Layer 3 deployment option:

The Palo Alto firewall routes allow traffic to flow between various interfaces in this layer 3 deployments. The IP address should be added to each interface by the user.

Layer 3 deployment mode is a common configuration. The firewall directs traffic between many interfaces in this mode, each of which has its own IP address and security zone. The Firewall interfaces can also be set up to get an IP address from a DHCP server and be used to manage the security appliance.

The diagram above depicts a typical Layer 3 deployment scenario in which the Firewall routes and regulates traffic between three IP networks. All traffic passing through the Firewall is reviewed and allowed or prohibited according to the security policies established, just like in previous setup methods.