Select system communication roles for firewall interfaces

You can select which IP addresses are used for particular roles in system communications (for example, in communications between the Firewall and the Management Server).

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Single Firewall or Firewall Cluster and select Edit <element type>.
  2. In the navigation pane on the left, select Interfaces > Interface Options.
  3. In the Interface Options pane on the right:
    1. From the Primary control IP address drop-down list, select the primary control IP address for communications with the Management Server.
      Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the engine.
    2. (Optional, recommended) From the Backup control IP address drop-down list, select a backup control IP address for Management Server contact (used if the primary fails).
    3. (Optional) If the NGFW Engine is behind a device that applies dynamic NAT to the inbound management connections or blocks them, select Node-Initiated contact to Management Server.
      When this option is selected, the engine opens a connection to the Management Server and maintains connectivity.
    4. (Firewall Clusters only) Select the primary Heartbeat Interface for communications between the nodes.
      We recommend that you use a Physical Interface, not a VLAN Interface. We strongly recommend that you do not direct any other traffic through this interface. A dedicated network helps ensure reliable and secure operation.
      CAUTION:
      Primary and Backup Heartbeat networks exchange confidential information. If dedicated networks are not possible, configure the cluster to encrypt the exchanged information.
    5. (Firewall Clusters only) Select a backup Heartbeat Interface that is used if the Primary Heartbeat Interface is unavailable.
      It is not mandatory to configure a backup Heartbeat Interface, but we strongly recommend it. If heartbeat traffic is not delivered, the cluster cannot operate and traffic is disturbed. We strongly recommend that you use a dedicated interface for the backup heartbeat as well.
    6. In the Default IP Address for Outgoing Traffic field, select the IP address that the nodes use if they have to initiate connections through an interface that has no Node Dedicated IP Address.
  4. Click OK.
  5. Click Save and Refresh.

Next steps

You are now ready to configure routing.
  • If this is a new Firewall, add routes for Firewalls.
  • If you are configuring Tunnel Interfaces for route-based VPNs, define the routing for the route-based VPNs.

Engine Editor – Interfaces – Interface Options

Use this branch to define which IP addresses are used in particular roles in the engine's system communications.

Option Definition
Control Interface

(Not Virtual Firewalls)

  • Primary — Specifies the Primary Control IP address for Management Server contact.
  • Backup (Optional) — Specifies the Backup Control IP address that is used if the Primary Control IP address is not available.
Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the engine.
Heartbeat Interface

(Clusters and Master NGFW Engines only)

  • Primary — Specifies communications between the nodes. We recommend that you use a Physical Interface, not a VLAN Interface. We strongly recommend that you do not direct any other traffic through this interface. A dedicated network helps guarantee reliable and secure operation.
    CAUTION:
    Primary and Backup Heartbeat networks exchange confidential information. If dedicated networks are not possible, configure the cluster to encrypt the exchanged information.
  • Backup — Used if the Primary Heartbeat Interface is unavailable. It is not mandatory to configure a backup Heartbeat Interface, but we strongly recommend it. If heartbeat traffic is not delivered, the cluster cannot operate and traffic is disturbed. We strongly recommend that you use a dedicated interface for the backup heartbeat as well.
Node-Initiated Contact to Management Server

When selected, the NGFW Engine opens a connection to the Management Server and maintains connectivity. This option is always used with a dynamic control IP address, so it is always selected if the control IP address is dynamic.

If the connection is not open when you command the engine through the Management Client, the command is left pending until the engine opens the connection again.

Note: This option is not supported for IPS Clusters, Layer 2 Firewall Clusters, or Virtual NGFW Engines.
Identity for Authentication Requests

The IP address of the selected interface is used when an engine contacts an external authentication server.

This option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender.

Source for Authentication Requests By default, specifies the source IP address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over VPN, select an interface with a Node Dedicated IP address that you want to use for the authentication requests.
Default IP Address for Outgoing Traffic Specifies the IP address that the engine uses to initiate connections (such as for system communications and ping) through an interface that has no Node Dedicated IP Address. In clusters, you must select an interface that has an IP address defined for all nodes.