Add IPv4 and IPv6 addresses to Firewall Cluster interfaces
You can add IPv4 and IPv6 addresses to layer 3 physical interfaces, VLAN interfaces, and tunnel interfaces on Firewall Clusters.
IPv6 addresses are supported on Firewall Clusters with dispatch clustering mode. IPv6 and IPv4 addresses can be used together on the same Firewall Cluster.
Firewall Clusters can have two types of IP addresses.
IP address type | Description | When to use it |
---|---|---|
Cluster Virtual IP address (CVI) |
An IP address that is used to handle traffic routed through the cluster for inspection. All nodes in a cluster share this IP address. Allows other devices to communicate with the Firewall Cluster as a single entity. Each CVI inherits the MAC address defined for the physical interface. The MAC/IP address pair always remains the same as only the location of the MAC address changes to the current dispatcher node (packet dispatch). This configuration makes the external network equipment forward traffic to the correct node for dispatching. The CVIs on different physical interfaces cannot have duplicate MAC addresses. |
Define a CVI for the interface if traffic that the firewall inspects is routed to or from the interface. |
Node Dedicated IP address (NDI) |
An IP address that is used for traffic to or from an individual node in a cluster. Each node in the cluster has a specific IP address that is used as the NDI. NDIs are used for the following purposes:
When you define NDIs, you must define both node-specific properties (such as the node’s IP address) and properties that all nodes in the cluster share. All nodes must have the same netmask value for their NDI. |
Define at least 2 NDIs: one for management connections and one for the heartbeat traffic between the nodes. We recommend that you define an NDI for each interface that has a CVI, if practical. Some features might not work reliably without an NDI. If there is a CVI without a corresponding NDI from the same network segment, communications that require an NDI ‘borrow’ an IP address. The address can be borrowed from another NDI on the same physical interface, VLAN interface, or aggregated link interface. If there is no NDI on the same physical interface, VLAN interface, or aggregated link interface, the default IP address for outgoing traffic is used. The ‘borrowed’ IP address can be used without issues with routers that strictly follow the ARP standard. You might need to create a static ARP entry if some routers do not strictly follow the ARP standard. |
You can define one or more CVI or NDI for the same physical interface or VLAN interface. You can also define only a CVI or only an NDI for a physical interface or VLAN interface. If the physical interface is an aggregated link, all interfaces that belong to the aggregated link share the IP address definitions.
You might also need to define a contact address if the CVI or NDI is private and NAT is used to translate the IP address to a different external IP address. The external IP address must be configured as the contact address in the following cases:
- Other SMC components must use the external IP address to contact this Firewall (NDI).
- This IP address is a VPN endpoint (CVI).
For more details about the product and how to configure features, click Help or press F1.
Steps
IP Address Properties dialog box (Firewall Cluster interface)
Use this dialog box to define the properties of a Firewall Cluster interface IP address.
Option | Definition |
---|---|
Cluster Virtual IP Address | When selected, enables the fields in the Cluster Virtual IP Address group of options. |
IPv4 Address | Enter the common IPv4 address for all nodes in the cluster. |
IPv6 Address | Enter the common IPv6 address for all nodes in the cluster. |
Comment | Adds a comment to the IP address. |
Option | Definition |
---|---|
Contact Addresses section | |
Default | Used by default whenever a component that belongs to another Location connects to this interface. |
Dynamic | Used when interface has a dynamic contact address. |
Exceptions | Opens the Exceptions dialog box. |
Option | Definition |
---|---|
Node Dedicated IP Address table | |
Node Dedicated IP Address | When selected, each node has a dedicated IP address. |
Node ID | Shows the number assigned to the node. |
Node | Displays the name of the node. |
IPv4 Address | Enter a dedicated IPv4 address for each node. |
IPv6 Address | Enter a dedicated IPv6 address for each node. |
Contact Address
(IPv4 address only) |
The IP address that components belonging to another Location use to connect to the interface. Double-clicking opens the Exceptions dialog box. |
Comment | Adds a comment to the IP address. |
Option | Definition |
---|---|
Network Settings section | |
Netmask | Automatically populated IP address or netmask length (1–32). You can change this value if needed. |
Prefix Length
(IPv6 address only) |
Check the automatically filled-in Prefix Length and adjust it if necessary by entering a value between 0–128. |
Network Address | The Network Address is automatically filled in and cannot be edited. |
Broadcast IP Address
(IPv4 address only) |
The Broadcast IP Address is automatically filled in and cannot be edited. |
Resolve IP Address From DNS Name dialog box
Use this dialog box to resolve an IP address from a DNS name.
Option | Definition |
---|---|
DNS Name | The DNS name that you want to resolve. |
Resolve | Select to display a list of IP addresses that the DNS name resolves to. Note: The IP
addresses are resolved by the computer running the Management Client.
|
IP Address | Select the IP address that you want to use. |