Add loopback IP addresses to firewalls

You can use Loopback IP addresses to assign IP addresses that do not belong to any directly connected networks to the Single Firewall or Firewall Cluster.

Loopback IP addresses are not connected to any physical interface and they do not create connectivity to any network.

  • Any IP address that is not used to route traffic on another interface can be used as a loopback IP address, and you can add several loopback IP addresses to each Firewall.
  • Any IP address that is not already used as a Cluster Virtual IP Addresses (CVI) or Node Dedicated IP Addresses (NDI) on another interface can be used as a loopback IP address.
    • A CVI loopback IP address is used for loopback traffic that is sent to the whole cluster. All the nodes in the cluster share it.
    • An NDI loopback IP address is used for loopback traffic that is sent to a specific node in the cluster. NDI loopback IP addresses must be unique for each node. You must define an NDI loopback IP address for all nodes.
  • The same IP address can be used as a loopback IP address and as the IP address of a Tunnel Interface.
  • Loopback IP addresses can be used as the IPv4 Identity for Authentication Requests or IPv6 Identity for Authentication Requests, the IPv4 Source for Authentication Requests or IPv6 Source for Authentication Requests, and the Default IP Address for Outgoing Traffic.
  • Loopback IP addresses cannot be used as Control IP addresses for communication with the Management Server or as Heartbeat Interfaces.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an NGFW Engine, then select Edit <element type>.
  2. Browse to Interfaces > Loopback.
  3. Configure the settings.
  4. Click Save and Refresh.

Engine Editor > Interfaces > Loopback

Use this branch to define loopback IP addresses for Firewalls. Loopback IP addresses allow you to assign IP addresses that do not belong to any directly connected networks to the Firewall.

Option Definition
Bypass Default IP Address Specifies how the source IP address for traffic sent from the NGFW Engine node is selected for tunnel interfaces that do not have IP addresses.
  • Use Loopback IP Address in Unnumbered Tunnel Interface — Uses an IP address listed in the table as the source IP address of traffic sent from the NGFW Engine node.
  • Use Default Outgoing IP Address in Unnumbered Tunnel Interface — Uses the default outgoing IP address defined in the Interface Options pane as the source IP address of traffic sent from the NGFW Engine node.
Loopback addresses table Click Add Row to add a row to the table, or Remove Row to remove the selected row. Click Up or Down to move the selected item up or down.
Loopback Address Enter the loopback IP address.
CVI Address

(Clusters only)

Enter the loopback IP address for the cluster.
Node NDI Address

(Clusters only)

Enter the node-specific loopback IP address.
OSPFv2 Area To advertise the loopback IP address as an OSPFv2 internal route, double-click the cell, then select an OSPFv2 Area element.
Comment

(Optional)

A comment for your own reference.