Types of interfaces for Secure SD-WAN Engines in the Engine/VPN role

You can configure several types of interfaces for Secure SD-WAN Engines in the Engine/VPN role.

Table 1. Types of interfaces for Secure SD-WAN Engines in the Engine/VPN role
Interface type	Purpose of interface	Limitations
Layer 3 physical	System communications and traffic inspection.	You cannot add both VLAN Interfaces and IP addresses to a Physical Interface. If an IP address is already configured for a Physical Interface, adding a VLAN Interface removes the IP address. If you plan to use VLAN Interfaces, configure the VLAN Interfaces first and then add IP addresses to the VLAN Interfaces.
Layer 2 physical	Traffic inspection. Layer 2 interfaces on Secure SD-WAN Engines in the Engine/VPN role allow the engine to provide the same kind of traffic inspection that is available for Secure SD-WAN Engines in the IPS and Layer 2 Engine roles.	You cannot add layer 2 physical interfaces of the Inline Layer 2 Engine type to Engine Clusters in Load Balancing mode. Only Standby mode is supported. You cannot add IP addresses to layer 2 physical interfaces on Secure SD-WAN Engines in the Engine/VPN role. VLAN retagging is not supported on layer 2 physical interfaces of the inline IPS type.
VLAN	Divides a single physical interface into several virtual interfaces.	You cannot add VLAN interfaces on top of other VLAN Interfaces (nested VLANs). You cannot create valid VLAN Interfaces in a Virtual Engine if the Master Engine interface that hosts the Virtual Engine is a VLAN Interface.
Modem (Single Engines only)	Represents a mobile broadband modem connected to a USB port on a purpose-built Secure SD-WAN Engine appliance.	A Modem Interface is only supported on Single Engines that run on specific Secure SD-WAN Engine appliances. Modem Interfaces do not support VLAN tagging.
Tunnel	A logical interface that is used as an endpoint for tunnels in route-based VPNs.	Tunnel Interfaces can only have static IP addresses. Tunnel Interfaces do not support VLAN tagging.
VPN Broker	A specialized interface for use with the VPN Broker. For more information about VPN Broker, see the Forcepoint NGFW Manager and VPN Broker Product Guide.	This type of interface is only supported for use with the VPN Broker.
Wireless (Single Engines only)	Represents a wireless network interface card of a purpose-built Secure SD-WAN Engine appliance.	A Wireless Interface is only supported on Single Engines that run on specific Secure SD-WAN Engine appliances that have a wireless network interface card.
Switch (Single Engines only)	Represents the switch functionality on a purpose-built Secure SD-WAN Engine appliance.	The switch functionality is only supported on Single Engines that run on specific Secure SD-WAN Engine appliances that have an integrated switch. The ports in the integrated switch do not support VLAN tagging or PPPoE. You cannot use ports on the integrated switch as the control interface.