Dynamic IP addresses for Single Firewall interfaces and how they work

Single Firewalls support the use of DHCP, PPPoA, PPPoE, and SLAAC to assign dynamic IPv4 or IPv6 addresses on the firewall’s network interfaces. PPP is only supported for IPv4 addresses.

Typically, a dynamic IP address is used in smaller sites with xDSL connections that have no static IP address available for the firewall. Modem Interfaces always have dynamic IP addresses that are provided through PPP.

Instead of an IP address, each interface with a dynamic IP address is identified in the SMC by a DHCP Index. This is a number that is used to distinguish different interfaces with dynamic IP addresses from one another.

When a firewall has a fixed IP address, the Management Server can contact the firewall whenever there is need. When the firewall has a dynamic IP address, the Management Server does not have a fixed IP address to contact, so the firewall contacts the Management Server instead. You can also define that a firewall that has a fixed IP address contacts the Management Server. The frequency of these contacts can be adjusted as necessary. If the contact is lost (for example, the Internet connection goes down), the Management Server queues the commands you have made to the firewall and executes them when contact is re-established.

If the address the engine uses for system communications is dynamic, the engine opens a communications channel to the Management Server and the Management Server never attempts to contact the engine outside this connection. If the management traffic flows through an interface that has a dynamic address, you can adjust timeouts and other settings related to these communications.

Dynamic IP addresses also affect policy-based VPNs: other VPN gateways cannot open VPN connections to the gateway if the address is dynamic. Instead, the gateway with the dynamic endpoint must always initiate the VPN. After the VPN tunnel is established, connections can be made in both directions as usual. VPN client connections can be forwarded through a site-to-site VPN from some gateway that has a static IP address (VPN hub configuration).

Because the dynamic IP address assignment includes the next-hop gateway address, the routing for interfaces with a dynamic address is defined using special dynamic Router and NetLink elements.

There are default Alias elements that can be used in the Firewall’s policy to represent its own dynamic addresses. For each dynamic address interface there are four Alias elements distinguished by the DHCP index number:
  • $$ DHCP Interface X.ip: The current dynamic IP address allocated to this interface
  • $$ DHCP Interface X.gateways: The received IP address for the default router
  • $$ DHCP Interface X.dns: The received IP address of the DNS server
  • $$ DHCP Interface X.net: The network behind the interface with a dynamic IP address
Note: These Aliases are meant for use in the policies of the Firewall that has the dynamic IP address. They are translated to the values of the Firewall the policy is installed on, so they cannot be used in the policies of other components.