Types of interfaces for NGFW Engines in the Firewall/VPN role

You can configure several types of interfaces for NGFW Engines in the Firewall/VPN role.

Table 1. Types of interfaces for NGFW Engines in the Firewall/VPN role
Interface type	Purpose of interface	Limitations
Layer 3 physical	System communications and traffic inspection.	You cannot add both VLAN Interfaces and IP addresses to a Physical Interface. If an IP address is already configured for a Physical Interface, adding a VLAN Interface removes the IP address. If you plan to use VLAN Interfaces, configure the VLAN Interfaces first and then add IP addresses to the VLAN Interfaces.
Layer 2 physical	Traffic inspection. Layer 2 interfaces on NGFW Engines in the Firewall/VPN role allow the engine to provide the same kind of traffic inspection that is available for NGFW Engines in the IPS and Layer 2 Firewall roles.	You cannot add layer 2 physical interfaces of the Inline Layer 2 Firewall type to Firewall Clusters in Load Balancing mode. Only Standby mode is supported. You cannot add IP addresses to layer 2 physical interfaces on NGFW Engines in the Firewall/VPN role. VLAN retagging is not supported on layer 2 physical interfaces of the inline IPS type.
VLAN	Divides a single physical interface into several virtual interfaces.	You cannot add VLAN interfaces on top of other VLAN Interfaces (nested VLANs). You cannot create valid VLAN Interfaces in a Virtual NGFW Engine if the Master NGFW Engine interface that hosts the Virtual NGFW Engine is a VLAN Interface.
ADSL	Represents the ADSL port of a purpose-built Forcepoint NGFW appliance.	An ADSL Interface is only supported on Single Firewall engines that run on specific legacy Forcepoint NGFW appliances that have an ADSL network interface card.
Modem (Single Firewalls only)	Represents a mobile broadband modem connected to a USB port on a purpose-built Forcepoint NGFW appliance.	A Modem Interface is only supported on Single Firewall engines that run on specific Forcepoint NGFW appliances. Modem Interfaces do not support VLAN tagging.
Tunnel	A logical interface that is used as an endpoint for tunnels in route-based VPNs.	Tunnel Interfaces can only have static IP addresses. Tunnel Interfaces do not support VLAN tagging.
VPN Broker	A specialized interface for use with the VPN Broker. For more information about VPN Broker, see the Forcepoint NGFW Manager and VPN Broker Product Guide.	This type of interface is only supported for use with the VPN Broker.
Wireless (Single Firewalls only)	Represents a wireless network interface card of a purpose-built Forcepoint NGFW appliance.	A Wireless Interface is only supported on Single Firewall engines that run on specific Forcepoint NGFW appliances that have a wireless network interface card.
Switch (Single Firewalls only)	Represents the switch functionality on a purpose-built Forcepoint NGFW appliance.	The switch functionality is only supported on Single Firewall engines that run on specific Forcepoint NGFW appliances that have an integrated switch. The ports in the integrated switch do not support VLAN tagging or PPPoE. You cannot use ports on the integrated switch as the control interface.