Add loopback IP addresses for Firewall Clusters

You can optionally define one or more loopback IP addresses for the Firewall Cluster.

Any IP address that is not already used as a Cluster Virtual IP Addresses (CVI) or Node Dedicated IP Addresses (NDI) on another interface can be used as a loopback IP address. The same IP address can be used as a loopback IP address and as the IP address of a Tunnel Interface.

Whether to define a CVI or NDI loopback address depends on the traffic for which the loopback IP address is used:
  • A CVI loopback IP address is used for loopback traffic that is sent to the whole cluster. All the nodes in the cluster share it.
  • An NDI loopback IP address is used for loopback traffic that is sent to a specific node in the cluster. NDI loopback IP addresses must be unique for each node.
Note: If the IP address you want to use as a loopback IP address is already used as a CVI or NDI on another interface, you must remove the IP address from the interface configuration before using it as a loopback IP address.

If you use NDI Loopback IP addresses, you must define an NDI loopback IP address for all nodes.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Firewall Cluster and select Edit Firewall Cluster.
    The Engine Editor opens.
  2. In the navigation pane on the left, browse to Interfaces > Loopback.
    The Loopback pane opens on the right.
  3. Click Add below the table to which you want to add a loopback IP address.
    A row is added to the table.
  4. (CVI only) Click the CVI Address cell and enter the loopback IP address for the cluster.
  5. (NDI only) Click the NDI Address cell for each node and enter the node-specific loopback IP address.
  6. Click OK.
  7. Click Save and Refresh.

Engine Editor – Interfaces – Loopback

Use this branch to define loopback IP addresses for Firewalls. Loopback IP addresses allow you to assign IP addresses that do not belong to any directly connected networks to the Firewall.

Option Definition
Bypass Default IP Address Specifies how the source IP address for traffic sent from the engine node is selected for tunnel interfaces that do not have IP addresses.
  • Use Loopback IP Address in Unnumbered Tunnel Interface — Uses an IP address listed in the table as the source IP address of traffic sent from the engine node.
  • Use Default Outgoing IP Address in Unnumbered Tunnel Interface — Uses the default outgoing IP address defined in the Interface Options pane as the source IP address of traffic sent from the engine node.
Click Add Row to add a row to the table, or Remove Row to remove the selected row.