Types of interfaces for NGFW Engines in the Firewall/VPN role

You can configure several types of interfaces for NGFW Engines in the Firewall/VPN role.

Table 1. Types of interfaces for NGFW Engines in the Firewall/VPN role
Interface type	Purpose of interface	Limitations
Layer 3 physical interface	System communications and traffic inspection.	You cannot add both VLAN Interfaces and IP addresses to a Physical Interface. If an IP address is already configured for a Physical Interface, adding a VLAN Interface removes the IP address. If you plan to use VLAN Interfaces, configure the VLAN Interfaces first and then add IP addresses to the VLAN Interfaces.
Layer 2 physical interface	Traffic inspection. Layer 2 interfaces on NGFW Engines in the Firewall/VPN role allow the engine to provide the same kind of traffic inspection that is available for NGFW Engines in the IPS and Layer 2 Firewall roles.	You cannot add layer 2 physical interfaces of the Inline Layer 2 Firewall type to Firewall Clusters in Load Balancing mode. Only Standby mode is supported. You cannot add IP addresses to layer 2 physical interfaces on NGFW Engines in the Firewall/VPN role. VLAN retagging is not supported on layer 2 physical interfaces of the inline IPS type.
VLAN interface	Divides a single physical interface into several virtual interfaces.	You cannot add VLAN interfaces on top of other VLAN Interfaces (nested VLANs). You cannot create valid VLAN Interfaces in a Virtual NGFW Engine if the Master NGFW Engine interface that hosts the Virtual NGFW Engine is a VLAN Interface.
ADSL interface (Legacy Forcepoint NGFW appliances only)	Represents the ADSL port of a purpose-built Forcepoint NGFW appliance.	An ADSL Interface is only supported on Single Firewall engines that run on specific legacy Forcepoint NGFW appliances that have an ADSL network interface card.
Wireless interface (Single Firewalls only)	Represents a wireless network interface card of a purpose-built Forcepoint NGFW appliance.	A Wireless Interface is only supported on Single Firewall engines that run on specific Forcepoint NGFW appliances that have a wireless network interface card.
Modem interface (Single Firewalls only)	Represents a 3G modem connected to a USB port on a purpose-built Forcepoint NGFW appliance.	A Modem Interface is only supported on Single Firewall engines that run on specific Forcepoint NGFW appliances. Modem Interfaces do not support VLAN tagging.
Tunnel interface	A logical interface that is used as an endpoint for tunnels in route-based VPNs.	Tunnel Interfaces can only have static IP addresses. Tunnel Interfaces do not support VLAN tagging.
Integrated switch (Single Firewalls only)	Represents the switch functionality on a purpose-built Forcepoint NGFW appliance.	The switch functionality is only supported on Single Firewall engines that run on specific Forcepoint NGFW appliances that have an integrated switch. The integrated switch does not support VLAN tagging.