Add IPv4 and IPv6 addresses to Firewall Cluster interfaces

You can add IPv4 and IPv6 addresses to layer 3 physical interfaces, VLAN interfaces, and tunnel interfaces on Firewall Clusters.

IPv6 addresses are supported on Firewall Clusters with dispatch clustering mode. IPv6 and IPv4 addresses can be used together on the same Firewall Cluster.

Firewall Clusters can have two types of IP addresses.

Table 1. Types of IP addresses for Firewall Clusters
IP address type Description When to use it
Cluster Virtual IP address (CVI)

An IP address that is used to handle traffic routed through the cluster for inspection. All nodes in a cluster share this IP address.

Allows other devices to communicate with the Firewall Cluster as a single entity.

Each CVI inherits the MAC address defined for the physical interface. The MAC/IP address pair always remains the same as only the location of the MAC address changes to the current dispatcher node (packet dispatch). This configuration makes the external network equipment forward traffic to the correct node for dispatching. The CVIs on different physical interfaces cannot have duplicate MAC addresses.

Define a CVI for the interface if traffic that the firewall inspects is routed to or from the interface.
Node Dedicated IP address (NDI)

An IP address that is used for traffic to or from an individual node in a cluster. Each node in the cluster has a specific IP address that is used as the NDI.

NDIs are used for the following purposes:

  • Node-to-node communications, such as heartbeat connections between the engines in a cluster and other traffic to or from individual nodes.
  • Traffic between each individual node and the Management Server and Log Server
  • Communications with external components (such as authentication servers, or hosts that are probed in network connectivity tests)

When you define NDIs, you must define both node-specific properties (such as the node’s IP address) and properties that all nodes in the cluster share. All nodes must have the same netmask value for their NDI.

Define at least 2 NDIs: one for management connections and one for the heartbeat traffic between the nodes.

We recommend that you define an NDI for each interface that has a CVI, if practical. Some features might not work reliably without an NDI.

If there is a CVI without a corresponding NDI from the same network segment, communications that require an NDI ‘borrow’ an IP address. The address can be borrowed from another NDI on the same physical interface, VLAN interface, or aggregated link interface. If there is no NDI on the same physical interface, VLAN interface, or aggregated link interface, the default IP address for outgoing traffic is used. The ‘borrowed’ IP address can be used without issues with routers that strictly follow the ARP standard. You might need to create a static ARP entry if some routers do not strictly follow the ARP standard.

You can define one or more CVI or NDI for the same physical interface or VLAN interface. You can also define only a CVI or only an NDI for a physical interface or VLAN interface. If the physical interface is an aggregated link, all interfaces that belong to the aggregated link share the IP address definitions.

You might also need to define a contact address if the CVI or NDI is private and NAT is used to translate the IP address to a different external IP address. The external IP address must be configured as the contact address in the following cases:

  • Other SMC components must use the external IP address to contact this Firewall (NDI).
  • This IP address is a VPN endpoint (CVI).

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Firewall Cluster, then select Edit Firewall Cluster.
  2. Browse to Interfaces.
  3. Right-click a layer 3 physical interface, VLAN interface, or tunnel interface, then add the IP address in one of the following ways:
    • To add an IPv4 address, select New > IPv4 Address
    • To add an IPv6 address, select New > IPv6 Address
    Note: If you have added VLAN interfaces to a physical interface, add the IP addresses to the VLAN interfaces.
  4. (Optional) If this interface does not receive or send IPv6 traffic that the Firewall examines, deselect Cluster Virtual IP Address.
    Note: By default, both Cluster Virtual IP Address and Node Dedicated IP Address are selected.
  5. To add a CVI address, enter the IP address in the IPv4 Address or IPv6 Address field.
    Tip: To resolve the IP address from a DNS name, right-click the field, then select Resolve From DNS Name.
  6. (IPv4 addresses only) If necessary, define the contact address for the Firewall Cluster.
    • In the Default field, enter the default contact address. The default contact address is used by default whenever a component that belongs to another Location connects to this interface.
    • If components from some Locations cannot use the default contact address, click Exceptions to define Location-specific contact addresses.
  7. To add NDI addresses for the nodes, click the IPv4 Address or IPv6 Address cell in the table, then enter the IP address for each node.
    Tip: To resolve the IP address from a DNS name, right-click the field, then select Resolve From DNS Name.
  8. (IPv4 addresses only) If necessary, double-click the Contact Address cell in the table, then define the contact address for each node.
    • In the Default field at the top of the dialog box, enter the default contact address.
    • If components from some Locations cannot use the default contact address, click Add to define Location-specific contact addresses.
  9. (IPv4 addresses only) Check the automatically filled-in Netmask, then adjust it as necessary.
  10. (IPv6 addresses only) Check the automatically filled-in Prefix Length, then adjust it as necessary.
  11. Click OK.
  12. Click Save.
  13. Continue the configuration in one of the following ways:
    • If you are creating a Firewall Cluster, or if you want to change the roles the different interfaces have in the configuration, select system communication roles for firewall interfaces.
    • If you added IP addresses to tunnel interfaces, define routing for route-based VPNs.
    • Otherwise, refresh the policy to transfer the changes.

IP Address Properties dialog box (Firewall Cluster interface)

Use this dialog box to define the properties of a Firewall Cluster interface IP address.

Option Definition
Cluster Virtual IP Address When selected, enables the fields in the Cluster Virtual IP Address group of options.
IPv4 Address Enter the common IPv4 address for all nodes in the cluster.
IPv6 Address Enter the common IPv6 address for all nodes in the cluster.
Comment Adds a comment to the IP address.
Option Definition
Contact Addresses section
Default Used by default whenever a component that belongs to another Location connects to this interface.
Dynamic Used when interface has a dynamic contact address.
Exceptions Opens the Exceptions dialog box.
Option Definition
Node Dedicated IP Address table
Node Dedicated IP Address When selected, each node has a dedicated IP address.
Node ID Shows the number assigned to the node.
Node Displays the name of the node.
IPv4 Address Enter a dedicated IPv4 address for each node.
IPv6 Address Enter a dedicated IPv6 address for each node.
Contact Address

(IPv4 address only)

The IP address that components belonging to another Location use to connect to the interface. Double-clicking opens the Exceptions dialog box.
Comment Adds a comment to the IP address.
Option Definition
Network Settings section
Netmask Automatically populated IP address or netmask length (1–32).

You can change this value if needed.

Prefix Length

(IPv6 address only)

Check the automatically filled-in Prefix Length and adjust it if necessary by entering a value between 0–128.
Network Address The Network Address is automatically filled in and cannot be edited.
Broadcast IP Address

(IPv4 address only)

The Broadcast IP Address is automatically filled in and cannot be edited.

Resolve IP Address From DNS Name dialog box

Use this dialog box to resolve an IP address from a DNS name.

Option Definition
DNS Name The DNS name that you want to resolve.
Resolve Select to display a list of IP addresses that the DNS name resolves to.
Note: The IP addresses are resolved by the computer running the Management Client.
IP Address Select the IP address that you want to use.