PA-3400 Series Next-Gen Firewall Hardware Reference
Updated on
Jan 5, 2024
Focus
Download PDF
Updated on
Jan 5, 2024
Focus
- Home
- PA-3400 Series Next-Gen Firewall Hardware Reference
- PA-3400 Series Firewall Overview
- PA-3400 Series Front Panel
PA-3400 Series Front Panel
Table of Contents
Learn about the PA-3400 Series firewall front-panel components.
The following image shows the front panel of the PA-3410and PA-3420 firewalls and the table describes each front panel component.
Item | Component | Description |
---|---|---|
1 | Ethernet ports 1 through 12 | Twelve RJ-45 10Mbps/100Mbps/1Gbps/2.5Gbps/5Gbps/10Gbps portsfor network traffic. Port 1 is a Zero Touch Provisioning (ZTP) port. The ZTP port can be used to automate the on-boarding of new firewalls to a Panorama management server. To use the ZTP port, read how to boot the firewall in ZTP mode. |
2 | SFP ports 13 through 22 | Ports 13 through 22 are SFP (1Gbps) or SFP+ (10Gbps)based on the installed transceiver. The SFP ports canbe remapped as HA-1 ports via PAN-OS or Panorama. These remappedHA-1 ports offer high availability connectivity over a longer distancethan what is permitted by the HA1-A and HA1-B ports listed below. |
3 | SFP28 ports 23 through 26 | Four SFP28 (25Gbps) ports that also support 1GSFP and 10G SFP+ modules. These ports support RS-FEC. The FEC setting of the remote endpoint mustbe set to RS-514 or RS-528 per the IEEE standards to ensure thatthe link remains up. |
4 | HSCI port | One SFP+ (10Gbps) port (supports both SFP andSFP+ transceivers or cables). Use this port to connect twoPA-3400 Series firewalls in a high availability (HA) configurationas follows:
TheHSCI ports must be connected directly between the two firewallsin the HA configuration (without a switch or router between them).When directly connecting the HSCI ports between two PA-3400 Seriesfirewalls that are physically located near each other, Palo AltoNetworks recommends that you use a passive SFP+ cable. Forinstallations where the two firewalls are not near each other andyou cannot use a passive SFP+ cable, use a standard SFP+ transceiverand the appropriate cable length. |
5 | HA1-A and HA1-B ports | Two RJ-45 10Mbps/100Mbps/1000Mbps ports forhigh availability (HA) control. |
6 | MGT port | Use this Ethernet 10Mbps/100Mbps/1000Mbps portto access the management web interface and perform administrativetasks. The firewall also uses this port for management services,such as retrieving licenses and updating threat and application signatures. The management interface cannot be configuredas a HA port. |
7 | CONSOLE port (RJ-45) | Use this port to connect a management computerto the firewall using a 9-pin serial-to-RJ-45 cable and terminalemulation software. The console connection provides accessto firewall boot messages, the Maintenance Recovery Tool (MRT),and the command line interface (CLI). If your managementcomputer does not have a serial port, use a USB-to-serial converter. Usethe following settings to configure your terminal emulation softwareto connect to the console port:
|
8 | USB port | A USB port that accepts a USB flash drivewith a bootstrap bundle (PAN-OS configuration). Bootstrappingspeeds up the process of configuring and licensing the firewallto make it operational on the network with or without internet access. |
9 | CONSOLE port (Micro USB) | Use this port to connect a management computerto the firewall using a standard Type-A USB-to-micro USB cable. Theconsole connection provides access to firewall boot messages, theMaintenance Recovery Tool (MRT), and the command line interface (CLI). Referto the Micro USB Console Port page for more informationand to download the Windows driver or to learn how to connect froma Mac or Linux computer. |
10 | LED status indicators | Eight LEDs that indicate the status of the firewallhardware components (see Interpret the PA-3400 Series Status LEDs). |
11 | System Drive Cover | Secures the device SSD. |
The following image shows the front panel of the PA-3430 andPA-3440 firewalls and the table describes each front panel component.
Item | Component | Description |
---|---|---|
1 | Ethernet ports 1 through 12 | Twelve RJ-45 10Mbps/100Mbps/1Gbps/2.5Gbps/5Gbps/10Gbps ports for network traffic. Port 1 is a Zero Touch Provisioning (ZTP) port. The ZTP port can be used to automate the on-boarding of new firewalls to a Panorama management server. To use the ZTP port, read how to boot the firewall in ZTP mode. |
2 | SFP ports 13 through 22 | Ports 13 through 22 are SFP (1Gbps) or SFP+ (10Gbps)based on the installed transceiver. The SFP ports canbe remapped as HA-1 ports via PAN-OS or Panorama. These remappedHA-1 ports offer high availability connectivity over a longer distancethan what is permitted by the HA1-A and HA1-B ports listed below. |
3 | SFP28 ports 23 through 26 | Four SFP28 (25Gbps) ports that also support 1GSFP and 10G SFP+ modules. These ports support RS-FEC. The FEC setting of the remote endpoint must be set to RS-514 or RS-528 per the IEEE standards to ensure that the link remains up. |
4 | QSFP28 ports 27 through 36 | Two form-factor pluggable (QSFP+/QSFP28) 40Gbps/100Gbps Ethernet ports. These ports support RS-FEC. Each interface supports breakout mode to create four 10Gbps or four 25Gbps ports each.
The FEC setting of the remote endpoint must be set to RS-514 or RS-528 per the IEEE standards to ensure that the link remains up. RS-FEC is enabled for most transceiver modules. The exceptions are LR4, AOC v2, and BiDi transceivers. |
5 | HSCI port | One SFP+ (10Gbps) port (supports only an SFP+transceiver or passive SFP+ cable). Use this port to connecttwo PA-3400 Series firewalls in a high availability (HA) configurationas follows:
TheHSCI ports must be connected directly between the two firewallsin the HA configuration (without a switch or router between them).When directly connecting the HSCI ports between two PA-3400 Seriesfirewalls that are physically located near each other, Palo AltoNetworks recommends that you use a passive SFP+ cable. Forinstallations where the two firewalls are not near each other andyou cannot use a passive SFP+ cable, use a standard SFP+ transceiverand the appropriate cable length. |
6 | HA1-A and HA1-B ports | Two RJ-45 10Mbps/100Mbps/1000Mbps ports forhigh availability (HA) control. |
7 | MGT port | Use this Ethernet 10Mbps/100Mbps/1000Mbps portto access the management web interface and perform administrativetasks. The firewall also uses this port for management services,such as retrieving licenses and updating threat and application signatures. The management interface cannotbe configured as a HA port. |
8 | CONSOLE port (RJ-45) | Use this port to connect a management computerto the firewall using a 9-pin serial-to-RJ-45 cable and terminalemulation software. The console connection provides accessto firewall boot messages, the Maintenance Recovery Tool (MRT),and the command line interface (CLI). If your managementcomputer does not have a serial port, use a USB-to-serial converter. Usethe following settings to configure your terminal emulation softwareto connect to the console port:
|
9 | USB port | A USB port that accepts a USB flash drivewith a bootstrap bundle (PAN-OS configuration). Bootstrappingspeeds up the process of configuring and licensing the firewallto make it operational on the network with or without internet access. |
10 | CONSOLE port (Micro USB) | Use this port to connect a management computerto the firewall using a standard Type-A USB-to-micro USB cable. Theconsole connection provides access to firewall boot messages, theMaintenance Recovery Tool (MRT), and the command line interface (CLI). Refer to the Micro USB Console Port page for more information and to download the Windows driver or to learn how to connect from a Mac or Linux computer. |
11 | LED status indicators | Nine LEDs that indicate the status of the firewallhardware components (see Interpret the PA-3400 Series Status LEDs). |
12 | System Drive Cover | Secures the device SSD. |
"); adBlockNotification.append($("Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.")); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function(e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function(e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}