Define interfaces for multiple Single Firewalls

You must define at least one layer 3 physical interface and one IPv4 address for the Firewalls.

When you define interfaces for multiple Single Firewalls, the same interface properties are available for every Firewall element in the Engine Editor. However, we recommend that you configure all shared interface properties in the wizard. After you exit the wizard, you must configure the properties separately for each Firewall.

The interface properties you define for the first Firewall are used to automatically create the corresponding properties for the rest of the Firewalls. These properties also include the IP addresses, which are automatically generated in numeric order. Make sure that the IP addresses that are assigned to the Firewalls are not used by any other components.

To use a Layer 3 Physical Interface for communication with the Management Server, begin by defining a Layer 3 Physical Interface with a dynamic IP address. This way, the Layer 3 Physical Interface is assigned Interface ID 0. When connecting the cables to the appliance, connect the cable for the control connection to Ethernet port 0. See the relevant Hardware Guide for detailed information about mapping the Interface IDs with specific ports on the appliances.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. On the Define Interfaces for the Firewalls page of the Create Multiple Single Firewalls wizard, click Add and select the type of interface that you want to add. Add the required number of network interfaces in the following order:
    1. Define Layer 3 Physical Interfaces.
    2. Define integrated ADSL modems.
    3. Define integrated 3G modems.
    4. Define Tunnel Interfaces.
    5. Define integrated wireless modems.
    6. Define SSID Interfaces.
    7. Define integrated switches and Port Group Interfaces.
  2. (Optional, Physical Interfaces only) Add the required number of VLANs.
  3. (Not applicable to Modem interfaces) Configure the IP address settings for the first one of the Firewalls.
  4. (Optional) Click Options to configure Loopback IP addresses.
  5. (Recommended) Click Options to define which IP addresses are used in particular roles in system communications.
  6. (Optional) Configure more routing settings:
    • Add static ARP entries.
    • Configure Multicast Routing.
  7. Click Next.
    The Review and Edit Firewall Interfaces page opens.
  8. Review the interfaces and edit them, if necessary. Properties of the Modem Interfaces cannot be edited.
  9. Click Next.
    The Define Routing for the Multiple Single Firewall Elements page opens.

Interface Options dialog box

Use this dialog box to select system communication roles for interfaces and to configure loopback IP addresses.

Option Definition
General tab
Primary Specifies the Primary Control IP address for Management Server contact.
Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the engine.
Backup

(Optional)

Specifies the Backup Control IP address that is used if the Primary Control IP address is not available.
Node-Initiated Contact to Management Server When selected, the firewall opens a connection to the Management Server and maintains connectivity.

The Node-Initiated Contact to Management Server option is always used with a dynamic control IP address, so it is always selected if the control IP address is dynamic.

If the connection is not open when you command the engine through the Management Client, the command is left pending until the engine opens the connection again.

Identity for Authentication Requests The IP address of the selected interface is used when an engine contacts an external authentication server.

The Identity for Authentication Requests option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender.

Source for Authentication Requests By default, specifies the source IP address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over a VPN, select an interface with an IP address that you want to use for the authentication requests.
Default IP Address for Outgoing Traffic Specifies the IP address that the engine uses to initiate connections (such as for system communications and ping) through an interface that has no IP address.
Option Definition
>Loopback tab
CVI Address Allows you to enter a loopback IP address.
Comment

(Optional)

 A comment for your own reference.
Add Adds a row to the table.
Remove Removes the selected row from the table.

ARP Entry Properties dialog box

Use this dialog box to manually add ARP entries for IPv4 or neighbor discover entries for IPv6.

Option Definition
Type Select from the following:
  • Static — Creates a permanent reference to an IP address/MAC address pair.
  • Proxy — Creates a reference to an IP address/MAC address pair that the Firewall performs proxy ARP for. Proxy ARP is possible only for hosts located in networks directly connected to the Firewall.
Interface ID The interface on which the ARP entry is applied.
IP Address The IPv4 or IPv6 address for the ARP entry.
MAC Address The MAC address for the ARP entry.
Add ARP Entry Adds an ARP entry.
Remove ARP Entry Removes the selected ARP entry.

Multicast Routing Properties

Use this dialog box to change multicast routing settings.

Option Definition
Multicast Routing Mode Specifies how the Firewall routes multicast traffic.
  • None — Disables multicast routing.
  • Static — Enables options that allow you to add static routes for multicast traffic.
  • IGMP Proxy — Enables options that allow you to use the Firewall for IGMP-based multicast forwarding.
Static selected
  • Source Interface — Select the Firewall interface to use for multicast routing.
  • Source IP Address — Enter the unicast IP address of the multicast source.
  • Destination IP Address — Enter the multicast destination IP address. The destination address must be within the multicast range of 224.0.0.0 to 239.255.255.255.
  • Destination Interface - Right-click Destination Interface and select Edit Destination Interface to select the interfaces where you want this multicast traffic forwarded.
  • Comment — Adds a comment for your own reference.
  • Add — Adds an empty row to the table.
  • Remove — Removes the selected row from the table.
IGMP Proxy selected
  • Upstream Interface — Select the Firewall interface for incoming IGMP traffic. If the multicast servers and the hosts are in the local networks, or if you want to limit the multicast to the local networks, it is not necessary to define the Upstream Interface. In that case, leave Not Set selected for Upstream Interface.
  • Upstream IGMP Version — Select the IGMP version according to the upstream network environment. The default IGMP version is version 3.
  • Interface — Select the downstream interface for outgoing IGMP traffic.
  • IGMP Version — Select the IGMP version according to the downstream network environment. The default IGMP version is version 3.
  • Add — Adds a downstream interface to the Downstream Interfaces table.
  • Remove — Removes a downstream interface from the Downstream Interfaces table.

Properties dialog box (DHCP)

Use this dialog box to enable the internal DHCP server or to change DHCP relay settings when you are creating multiple Single Firewalls with a wizard.

Option Definition
DHCP Mode Select the DHCP mode:
  • Disabled — DHCP relay is disabled.
  • DHCP Relay — Enables DHCP relay on the interface.
  • DHCP Server — Activates the integrated DHCP server on the interface.
Option Definition
DHCP Relay settings

(If DHCP Mode is DHCP Relay)

Resources Select from the available DHCP servers.
Search Opens a search field for the selected element list.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
Add Adds the DHCP server to the interface.
Remove Removes the DHCP server from the interface.
Max Packet Size Adjusts the maximum allowed packet size.
DHCP Relay Select the CVI or IP address you want to use for DHCP relay.
Option Definition
DHCP Server settings

(If DHCP Mode is DHCP Server)

DHCP Address range Defines the DHCP address range that the Firewall assigns to clients in one of the following ways:
  • Select — Allows you to select an address range element.
  • Address — Allows you to enter a single IP address or an IP address range.
On Firewall Clusters, the DHCP address range is automatically divided between the nodes.
Note: The DHCP address range must be in the same network space defined for the Physical Interface. The DHCP address range must not contain the Firewall's NDI or CVI addresses or broadcast IP addresses of networks behind the Firewall.
Primary DNS Server

(Optional)

 Enter the primary DNS server IP address that clients use to resolve domain names.

If there is a listening IP address for DNS Relay on the same interface, clients use the DNS services provided by the firewall by default. If you want clients to use a different external DNS server, enter the IP address of the external DNS server.
Secondary DNS Server

(Optional)

 Enter the secondary DNS server IP address that clients use to resolve domain names.
Primary WINS Server

(Optional)

 Enter the primary WINS server IP address that clients use to resolve NetBIOS computer names.
Secondary WINS Server

(Optional)

 Enter the secondary WINS server IP address that clients use to resolve NetBIOS computer names.
Default Gateway Enter the IP address through which traffic from clients is routed.
Default Lease Time Enter the time after which IP addresses assigned to clients must be renewed.