Define interfaces for multiple Firewall Clusters

You must define at least one layer 3 physical interface and one IPv4 address for the Firewall Clusters.

The following interface types are available:
  • Layer 3 physical interface for Ethernet connections
  • VLAN interface for dividing a single physical network link into several virtual links
  • Tunnel interface that defines a tunnel endpoint in route-based VPNs

The same interface properties are available for every Firewall Cluster element in the Engine Editor. However, we recommend that you configure all shared interface properties in the wizard. After you exit the wizard, you must configure the properties separately for each Firewall Cluster.

The interface properties you define for the first Firewall Cluster are used to automatically create the corresponding properties for the rest of the Firewall Clusters. These properties include the IP addresses, which are automatically generated in numeric order. Make sure that the IP addresses assigned to the Firewall Clusters are not used by any other components.

To use a layer 3 physical interface for communication with the Management Server, begin by defining a layer 3 physical interface with an IP address. This way, the layer 3 physical interface is assigned interface ID 0. When connecting the cables to the appliance, connect the cable for the control connection to Ethernet port 0. See the Forcepoint Next Generation Firewall Installation Guide for detailed information about mapping the interface IDs with specific ports on the appliances.

Note: On Firewall Clusters, the routing information is configured simultaneously for all cluster nodes and all nodes always have identical routing tables.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Click Add and select the type of interface. Add the required number of network interfaces in the following order:
    • Define layer 3 physical interfaces.
    • (Optional) Define tunnel interfaces.
  2. (Optional, physical interfaces only) Add the required number of VLANs.
  3. Configure the IP address settings for the first one of the Firewall Clusters.
  4. (Optional) Click Options to configure Loopback IP addresses.
  5. (Recommended) Click Options to define which IP addresses are used in particular roles in system communications.
  6. (Optional) Configure more routing settings:
    • Add static ARP entries.
    • Configure Multicast Routing.
  7. Click Next.
    The Review and Edit Firewall Interfaces page opens.
  8. Review the interfaces and edit them, if necessary. Click Next.
  9. Define and review the routing. Click Next.
  10. Click Next.
    The Define NAT Definitions for the Firewalls page opens.

Interface Options dialog box

Use this dialog box to select system communication roles for interfaces and to configure loopback IP addresses.

Option Definition
General tab
Primary Specifies the Primary Control IP address for Management Server contact.
Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the engine.
Backup

(Optional)

Specifies the Backup Control IP address that is used if the Primary Control IP address is not available.
Node-Initiated Contact to Management Server When selected, the firewall opens a connection to the Management Server and maintains connectivity.

The Node-Initiated Contact to Management Server option is always used with a dynamic control IP address, so it is always selected if the control IP address is dynamic.

If the connection is not open when you command the engine through the Management Client, the command is left pending until the engine opens the connection again.

Identity for Authentication Requests The IP address of the selected interface is used when an engine contacts an external authentication server.

The Identity for Authentication Requests option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender.

Source for Authentication Requests By default, specifies the source IP address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over a VPN, select an interface with an IP address that you want to use for the authentication requests.
Default IP Address for Outgoing Traffic Specifies the IP address that the engine uses to initiate connections (such as for system communications and ping) through an interface that has no IP address.
Option Definition
>Loopback tab
CVI Address Allows you to enter a loopback IP address.
Comment

(Optional)

 A comment for your own reference.
Add Adds a row to the table.
Remove Removes the selected row from the table.

ARP Entry Properties dialog box

Use this dialog box to manually add ARP entries for IPv4 or neighbor discover entries for IPv6.

Option Definition
Type Select from the following:
  • Static — Creates a permanent reference to an IP address/MAC address pair.
  • Proxy — Creates a reference to an IP address/MAC address pair that the Firewall performs proxy ARP for. Proxy ARP is possible only for hosts located in networks directly connected to the Firewall.
Interface ID The interface on which the ARP entry is applied.
IP Address The IPv4 or IPv6 address for the ARP entry.
MAC Address The MAC address for the ARP entry.
Add ARP Entry Adds an ARP entry.
Remove ARP Entry Removes the selected ARP entry.

Multicast Routing Properties

Use this dialog box to change multicast routing settings.

Option Definition
Multicast Routing Mode Specifies how the Firewall routes multicast traffic.
  • None — Disables multicast routing.
  • Static — Enables options that allow you to add static routes for multicast traffic.
  • IGMP Proxy — Enables options that allow you to use the Firewall for IGMP-based multicast forwarding.
Static selected
  • Source Interface — Select the Firewall interface to use for multicast routing.
  • Source IP Address — Enter the unicast IP address of the multicast source.
  • Destination IP Address — Enter the multicast destination IP address. The destination address must be within the multicast range of 224.0.0.0 to 239.255.255.255.
  • Destination Interface - Right-click Destination Interface and select Edit Destination Interface to select the interfaces where you want this multicast traffic forwarded.
  • Comment — Adds a comment for your own reference.
  • Add — Adds an empty row to the table.
  • Remove — Removes the selected row from the table.
IGMP Proxy selected
  • Upstream Interface — Select the Firewall interface for incoming IGMP traffic. If the multicast servers and the hosts are in the local networks, or if you want to limit the multicast to the local networks, it is not necessary to define the Upstream Interface. In that case, leave Not Set selected for Upstream Interface.
  • Upstream IGMP Version — Select the IGMP version according to the upstream network environment. The default IGMP version is version 3.
  • Interface — Select the downstream interface for outgoing IGMP traffic.
  • IGMP Version — Select the IGMP version according to the downstream network environment. The default IGMP version is version 3.
  • Add — Adds a downstream interface to the Downstream Interfaces table.
  • Remove — Removes a downstream interface from the Downstream Interfaces table.