Select system communication roles for firewall interfaces
You can select which IP addresses are used for particular roles in system communications (for example, in communications between the Firewall and the Management Server).
For more details about the product and how to configure features, click Help or press F1.
Steps
- Right-click a Single Firewall or Firewall Cluster and select Edit <element type>.
- In the navigation pane on the left, select .
-
In the
Interface Options pane on the right:
- Click OK.
- Click Save and Refresh.
Next steps
- If this is a new Firewall, add routes for Firewalls.
- If you are configuring Tunnel Interfaces for route-based VPNs, define the routing for the route-based VPNs.
Engine Editor – Interfaces – Interface Options
Use this branch to define which IP addresses are used in particular roles in the engine's system communications.
Option | Definition |
---|---|
Control Interface
(Not Virtual Firewalls) |
Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary
control IP address of the engine.
|
Heartbeat Interface
(Clusters and Master NGFW Engines only) |
|
Node-Initiated Contact to Management Server |
When selected, the NGFW Engine opens a connection to the Management Server and maintains connectivity. This option is always used with a dynamic control IP address, so it is always selected if the control IP address is dynamic. If the connection is not open when you command the engine through the Management Client, the command is left pending until the engine opens the connection again. Note: This option is not supported for IPS Clusters, Layer 2 Firewall Clusters, or Virtual NGFW Engines.
|
Identity for Authentication Requests |
The IP address of the selected interface is used when an engine contacts an external authentication server. This option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender. |
Source for Authentication Requests | By default, specifies the source IP address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over VPN, select an interface with a Node Dedicated IP address that you want to use for the authentication requests. |
Default IP Address for Outgoing Traffic | Specifies the IP address that the engine uses to initiate connections (such as for system communications and ping) through an interface that has no Node Dedicated IP Address. In clusters, you must select an interface that has an IP address defined for all nodes. |