Select system communication roles for Layer 2 Firewall interfaces
Interface options allow you to select which interfaces are used for which types of system communications.
- Which IP addresses are used as the primary and backup Control IP address
- Which interfaces are used as the primary and backup Heartbeat Interface (Layer 2 Firewall Clusters only)
- The default IP address for outgoing traffic
- As the primary Control IP address
- As the primary Heartbeat Interface (Layer 2 Firewall Clusters only)
- As the default IP address for outgoing traffic
You can optionally change which physical interface is used for each of these purposes. You can also define a backup Control IP address and backup Heartbeat Interface (Layer 2 Firewall Clusters only).
For more details about the product and how to configure features, click Help or press F1.
Steps
Engine Editor > Interfaces > Interface Options
Use this branch to define which IP addresses are used in particular roles in the NGFW Engine's system communications.
Option | Definition |
---|---|
Control Interface
(Not Virtual Firewalls) |
Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the NGFW Engine.
|
Node-Initiated Contact to Management Server | When selected, the NGFW Engine opens a connection to the Management Server and maintains connectivity. This option is always
used with a dynamic control IP address, so it is always selected if the control IP address is dynamic. If the connection is not open when you command the NGFW Engine through the Management Client, the command is left pending until the NGFW
Engine opens the connection again. Note: This option is not supported for IPS Clusters, Layer 2 Firewall Clusters, or Virtual NGFW Engines.
|
Heartbeat Interface
(Clusters and Master NGFW Engines only) |
On Master NGFW Engines, you cannot use shared interfaces as a heartbeat interface. |
IPv4 Identity for Authentication Requests or IPv6 Identity for Authentication Requests |
The IPv4 address or IPv6 address of the selected interface is used when an NGFW Engine contacts an external authentication server. This option does not affect the routing of the connection with the authentication server. The IP address is used only as a parameter inside the authentication request payload to give a name to the request sender. |
IPv4 Source for Authentication Requests or IPv6 Source for Authentication Requests | By default, specifies the source IPv4 address or IPv6 address for authentication requests according to routing. If the authentication requests are sent to an external authentication server over VPN, select an interface with a Node Dedicated IP address that you want to use for the authentication requests. |
Default IP Address for Outgoing Traffic | Specifies the IP address that the NGFW Engine uses to initiate connections (such as for system communications and ping) through an interface that has no Node Dedicated IP Address. In clusters, you must select an interface that has an IP address defined for all nodes. |