Sharing interfaces on Master NGFW Engines

As an alternative to using an external, physical switch, you can add a single layer 3 physical interface on a Master NGFW Engine that can be shared by up to 250 Virtual Firewalls. In addition, VLAN interfaces under the physical interface can be shared.

An example of where this could be beneficial is that a managed security services provider (MSSP) can have a single layer 3 physical interface that is shared by multiple Virtual Firewalls, where each Virtual Firewall is dedicated to a different customer.

In addition to sharing a regular physical interface, the Virtual Firewalls can share aggregated link interfaces.

The Virtual Firewalls are identified by a unique unicast MAC address. The shared physical interface has a MAC address prefix (the first five octets of a MAC address) which groups the Virtual Firewalls together. The final octet of the MAC address, automatically taken from the Virtual Firewall ID, identifies the individual Virtual Firewall.

Underneath shared interfaces, you can also add shared VLAN interfaces that can be shared by multiple Virtual Firewalls.

The Virtual Firewalls that share an interface can communicate with each other if needed, but you must manually configure the routing and Access rules.

Limitations

Shared interfaces cannot be created when using the Convert NGFW Engine to Master Engine and Virtual NGFW Engines wizard. You must manually add the interfaces later.