Add layer 3 physical interfaces to Master Security Engines

Master Security Engines can have two types of physical interfaces: interfaces for the Master Security Engine’s own communications, and interfaces that are used by the Virtual Security Engines hosted on the Master Security Engine.

You must add at least one physical interface for the Master Security Engine’s own communications.

For Master Security Engine clusters, it is recommended to add at least two physical interfaces:
  • An interface used for communications between the Management Server and the Master Security Engine.
  • An interface for the heartbeat communications between the cluster nodes. The heartbeat traffic is critical to the functioning of the cluster, so it is highly recommended to have a dedicated heartbeat interface.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the Master Engine element, then select Edit <element type>.
  2. In the navigation pane on the left, browse to Interfaces.
  3. Click Add, then select Layer 3 Physical Interface.
  4. (Interface for Master Security Engine communications only) Define the physical interface properties.
    1. From the Type drop-down list, select the interface type according to the engine role.
    2. Do not select a Virtual Resource for an interface that is used for the Master Security Engine’s own communications.
    3. In the Cluster MAC Address field, enter the MAC address for the Master Security Engine.
      Note: Do not use the MAC address of any actual network card on any of the Master Security Engine nodes.
    Note: Make sure that you set the interface speed correctly. When the bandwidth is set, the Master Security Engine always scales the total amount of traffic on this interface to the bandwidth you defined. The bandwidth is scaled even if there are no bandwidth limits or guarantees defined for any traffic.
  5. (Interface for hosted Virtual Security Engine communications only) Define the physical interface properties.
    1. From the Type drop-down list, select the interface type according to the engine role.
    2. (Virtual IPS only) From the Failure Mode drop-down list, select how traffic to the inline interface is handled if the Virtual IPS engine goes offline.
      Note: If there are VLAN interfaces under the inline interface, select Bypass.
      CAUTION:
      Using Bypass mode requires the Master Security Engine appliance to have a fail-open network interface card. If the ports that represent the pair of inline interfaces on the appliance cannot fail open, the policy installation fails on the Virtual IPS engine. Bypass mode is not compatible with VLAN retagging. In network environments where VLAN retagging is used, normal mode is automatically enforced.
    3. From the Virtual Resource drop-down list, select the Virtual Resource element associated with the interface.
      Select the same Virtual Resource in the properties of the Virtual Security Engine to add the Virtual IPS engine to the Master Security Engine.
      Note: Only one Virtual Resource can be selected for each physical interface. If you want to add multiple Virtual Resources, add VLAN interfaces to the physical interface and select the Virtual Resource in the VLAN interface properties.
  6. Click OK.
    The physical interface is added to the interface list.
  7. Click Save.

Next steps

Continue the configuration in one of the following ways:
  • Add VLANs to physical interfaces.
  • Add IP addresses to the physical interfaces used for Master Security Engine communications.