Select system communication roles for Layer 2 Firewall interfaces

Interface options allow you to select which interfaces are used for which types of system communications.

You can define the following settings for system communication:

Which IP addresses are used as the primary and backup Control IP address
Which interfaces are used as the primary and backup Heartbeat Interface (Layer 2 Firewall Clusters only)
The default IP address for outgoing traffic

By default, the first IP address you add to a Normal Interface is automatically selected for the following roles:

As the primary Control IP address
As the primary Heartbeat Interface (Layer 2 Firewall Clusters only)
As the default IP address for outgoing traffic

You can optionally change which physical interface is used for each of these purposes. You can also define a backup Control IP address and backup Heartbeat Interface (Layer 2 Firewall Clusters only).

For more details about the product and how to configure features, click Help or press F1.

Steps

Right-click a Single Layer 2 Firewall or Layer 2 Firewall Cluster and select Edit <element type>.
The Engine Editor opens.
In the navigation pane on the left, select Interfaces > Interface Options.
In the Interface Options pane on the right:
1. Select the Primary Control IP address for Management Server contact.
2. (Optional) Select a Backup Control IP address that is used if the Primary Control IP address is not available.
3. (Optional, single Layer 2 Firewall only) If the NGFW Engine is behind a device that applies dynamic NAT to the inbound management connections or blocks them, select Node-Initiated contact to Management Server.
  When this option is selected, the engine opens a connection to the Management Server and maintains connectivity.
4. (Layer 2 Firewall Clusters only) Select the primary Heartbeat Interface for communications between the nodes.
  We recommend that you use a Physical Interface, not a VLAN Interface. We strongly recommend that you do not direct any other traffic through this interface. A dedicated network helps guarantee reliable and secure operation.
  CAUTION:
  Primary and Backup Heartbeat networks exchange confidential information. If dedicated networks are not possible, configure the cluster to encrypt the exchanged information.
5. (Layer 2 Firewall Clusters only) Select a backup Heartbeat Interface that is used if the Primary Heartbeat Interface is unavailable.
  It is not mandatory to configure a backup Heartbeat Interface, but we strongly recommend it. If heartbeat traffic is not delivered, the cluster cannot operate and traffic is disturbed. We strongly recommend that you use a dedicated interface for the backup heartbeat as well.
6. In the Default IP Address for Outgoing Traffic field, select the IP address that the nodes use if they initiate connections through an interface that has no Node Dedicated IP Address.
Click OK.
Continue the configuration in one of the following ways:
- If you are creating a new Layer 2 Firewall element, configure the routing.
- Otherwise, click Save and Refresh to transfer the configuration changes.

Engine Editor – Interfaces – Interface Options

Use this branch to define which IP addresses are used in particular roles in the engine's system communications.

Option	Definition
Control Interface (Not Virtual Firewalls)	Primary — Specifies the Primary Control IP address for Management Server contact. Backup (Optional) — Specifies the Backup Control IP address that is used if the Primary Control IP address is not available. Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the engine.
Heartbeat Interface (Clusters and Master NGFW Engines only)	Primary — Specifies communications between the nodes. We recommend that you use a Physical Interface, not a VLAN Interface. We strongly recommend that you do not direct any other traffic through this interface. A dedicated network helps guarantee reliable and secure operation. CAUTION: Primary and Backup Heartbeat networks exchange confidential information. If dedicated networks are not possible, configure the cluster to encrypt the exchanged information. Backup — Used if the Primary Heartbeat Interface is unavailable. It is not mandatory to configure a backup Heartbeat Interface, but we strongly recommend it. If heartbeat traffic is not delivered, the cluster cannot operate and traffic is disturbed. We strongly recommend that you use a dedicated interface for the backup heartbeat as well.
Node-Initiated Contact to Management Server	When selected, the NGFW Engine opens a connection to the Management Server and maintains connectivity. This option is always used with a dynamic control IP address, so it is always selected if the control IP address is dynamic. If the connection is not open when you command the engine through the Management Client, the command is left pending until the engine opens the connection again. Note: This option is not supported for IPS Clusters, Layer 2 Firewall Clusters, or Virtual NGFW Engines.
Identity for Authentication Requests	The IP address of the selected interface is used when an engine contacts an external authentication server. This option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender.
Source for Authentication Requests	By default, specifies the source IP address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over VPN, select an interface with a Node Dedicated IP address that you want to use for the authentication requests.
Default IP Address for Outgoing Traffic	Specifies the IP address that the engine uses to initiate connections (such as for system communications and ping) through an interface that has no Node Dedicated IP Address. In clusters, you must select an interface that has an IP address defined for all nodes.