Example: Layer 2 Firewall Inline Interfaces in Passive Firewall mode

An example of deploying a Layer 2 Firewall in Passive Firewall mode in the traffic path.

The administrator at company C wants to set up a Single Layer 2 Firewall and deploy it in Passive Firewall mode in an inline configuration. The following illustration shows the interfaces of the Single Layer 2 Firewall in Passive Firewall mode with Inline Interfaces.

Figure: Inline Interfaces in Passive Firewall Mode



In this example, the IP address on Interface ID 0 is configured as the Control IP address for management connections. Interface ID 1 and Interface ID 2 are an inline interface pair that share the Logical Interface, called Inline (Passive Terminate). Traffic comes in through Interface ID 1 and leaves through Interface ID 2.

The administrator does the following:
  1. Creates a Single Layer 2 Firewall element and selects the Log Server to which the Layer 2 Firewall engine sends its log data.
  2. Creates a Logical Interface called Inline (Passive Terminate) for the Inline Interface pair.
  3. Defines Interface ID 0 as a Normal Interface and adds an IP address to it.
  4. Defines Interface IDs 1 and 2 as an inline interface pair and selects the Logical Interface called Inline for the pair.
  5. Configures the Layer 2 Firewall engine to only create Terminate (passive) log entries:
    • For all connections that match the Access rules with the Discard action in the Layer 2 Firewall Policy.
    • All Inspection rules with the Terminate action in the Inspection Policy.
  6. Saves the initial configuration of the engine in the Management Client.
  7. Connects the network cables to the appropriate physical interfaces on the engine.
  8. Maps the interface IDs to the physical interfaces in the NGFW Configuration Wizard and makes initial contact with the Management Server.
  9. Installs a Layer 2 Firewall Policy in the Management Client to transfer the configuration to the engine.