Add logical interfaces

Logical interface elements allow you to group interfaces together according to network segment and interface type.

Logical interfaces are used in the configuration of the following types of interfaces to represent one or more network interfaces:

Capture interfaces on Firewalls, IPS Engines, and Layer 2 Firewalls
Inline interfaces on IPS engines and Layer 2 Firewalls
Inline IPS interfaces on Firewalls
Inline Layer 2 Firewall interfaces on Firewalls

You cannot use the same logical interface to represent both capture interfaces and inline interfaces on the same engine. On Firewalls, you cannot use the same logical interface to represent both inline IPS interfaces and inline Layer 2 Firewall interfaces. Otherwise, a logical interface can represent any number or combination of physical interfaces or VLAN Interfaces.

There is one predefined logical interface element called default_eth. If you want to create both capture interfaces and inline interfaces on the same NGFW Engine, you must add at least one more logical interface.

On IPS engines and Layer 2 Firewalls, a logical interface element called System Communications is automatically assigned to interfaces that have an IP address that is used as the primary or backup Control IP address. You can use the System Communications logical interface to represent all Control IP addresses in IPS and Layer 2 Firewall Policies.

Note:

You cannot use the System Communications logical interface for the following types of interfaces:

Capture interfaces on Firewalls
Inline IPS interfaces on Firewalls
Inline Layer 2 Firewall interfaces on Firewalls

You can use logical interfaces in IPS Policies, Layer 2 Firewall Policies, and Layer 2 Interface Policies to limit the scope of your rules. You can use logical interfaces to create rules that match based on which interface the traffic was picked up from. For example, you can create a different logical interface for each VLAN and use them to create rules that apply only to traffic from a specific VLAN.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Configuration.
Expand the Other Elements branch.
Right-click Logical Interfaces and select New Logical Interface.
Enter a Name and an optional Comment for the new element.
(Optional) To prevent the engine from seeing a single connection as multiple connections when a switch passes traffic between different VLANs, select the View Interface as One LAN option.
Click OK.

Logical Interface Properties dialog box

Use this dialog box to define the properties of a Logical Interface.

Option	Definition
Name	Specifies a unique name for the interface.
Comment (Optional)	A comment for your own reference.
View interface as one LAN	When selected, the engine treats VLANs associated with the Logical Interface as a single LAN. This option prevents the NGFW Engine from seeing a single connection as multiple connections when a switch passes traffic between different VLANs or if all traffic is mirrored to the IPS engine through a SPAN port.

Option

Definition

Name

Specifies a unique name for the interface.

Comment

(Optional)

A comment for your own reference.

View interface as one LAN

When selected, the engine treats VLANs associated with the Logical Interface as a single LAN.

This option prevents the NGFW Engine from seeing a single connection as multiple connections when a switch passes traffic between different VLANs or if all traffic is mirrored to the IPS engine through a SPAN port.