1Open the Network tab
In the top tab strip of the PAN-OS simulator, click Network. This is where all interface, zone, virtual-router, DNS proxy, and VPN settings live.
ethernet1/4 as a Layer-3 interface with IP 10.30.0.1/24, place it in a brand-new security zone called guest, then commit and verify with the CLI.
In the top tab strip of the PAN-OS simulator, click Network. This is where all interface, zone, virtual-router, DNS proxy, and VPN settings live.
Before assigning an interface to a zone, the zone needs to exist. The default config has trust and untrust only — we want a third one called guest.
Above the zone table you'll see a toolbar with a single blue button.
| Name | Type | Interfaces |
|---|---|---|
| trust | layer3 | ethernet1/1 |
| untrust | layer3 | ethernet1/2 |
Enter the following exactly:
guestlayer3 (this is the default — leave it)ethernet1/4 automatically when we configure the interface in Step 6.Then click OK.
The zone is created (zone counter went from 2 → 3). Now switch the sidebar to Interfaces.
ethernet1/3 currently shows state down with no zone or IP — that's the one we'll bring up.| Interface | Zone | IP | State |
|---|---|---|---|
| ethernet1/1 | trust | 10.10.10.1/24 | up |
| ethernet1/2 | untrust | 203.0.113.1/30 | up |
| ethernet1/3 | — | — | down |
We won't edit eth1/3 — instead we add a brand-new interface (eth1/4) so the lab is repeatable.
Enter each field exactly as shown:
ethernet1/4 (pre-filled with the next available number — verify and adjust if needed)layer3guest (this is the zone we created in step 4)10.30.0.1/24 (CIDR notation — slash + bits)upClick OK.
guest in the Zone field works because the zone exists. If you'd typed finance instead, the simulator would create a new (empty) zone on the fly — but that's an easy way to end up with typo'd zones that don't match your security policies. Always create zones first.Two things to look for:
ethernet1/4 with zone guest, IP 10.30.0.1/24, state up.| Interface | Zone | IP | State |
|---|---|---|---|
| ethernet1/1 | trust | 10.10.10.1/24 | up |
| ethernet1/2 | untrust | 203.0.113.1/30 | up |
| ethernet1/3 | — | — | down |
| ethernet1/4 | guest | 10.30.0.1/24 | up |
Click the amber Commit button in the top-right of the header.
This is the L3 engineer habit you should build: after every GUI change, verify in the CLI. Three commands prove the work:
show interface ethernet1/4 — confirm zone, IP, runtime status.show running-config — find the <entry name="ethernet1/4"> block.test security-policy-match from guest to untrust source 10.30.0.10 destination 8.8.8.8 protocol 6 — currently this returns "No matching rule. Implicit deny." because we haven't written a security policy for the guest zone yet. That's expected!guest → untrust action allow, application any. Then re-run the test security-policy-match command and watch the answer change to point at your new rule.