Add SSID Interfaces for Single Firewalls

You can define several SSID Interfaces for the Wireless Interface.

An SSID (service set identifier) interface represents an 802.11 wireless LAN. You can define several SSID Interfaces for the Wireless Interface.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click a Single Firewall and select Edit Single Firewall.
    The Engine Editor opens.
  2. In the navigation pane on the left, select Interfaces.
    The Interfaces pane opens on the right.
  3. Right-click the Wireless Interface, then select New SSID Interface.
  4. Define the SSID Interface properties.
  5. If you want to configure additional settings for the SSID Interface, continue the configuration in one of the following ways:
    • Configure security settings for the wireless connections.
    • Filter wireless connections based on the clients’ MAC addresses.
    • Activate the internal DHCP server on the SSID Interface.
    • Add an IPv4 address to the interface.
  6. Otherwise, save the changes to the SSID Interface.
    1. Click OK to close the SSID Interface Properties dialog box.
    2. Click Save and Refresh.

SSID Interface Properties dialog box

Use this dialog box to configure properties for SSID interfaces.

Option Definition
General tab
Wireless Network Name (SSID) The name that identifies the network to the end users.
Wireless SSID Broadcast
  • Enabled — Users can see the Wireless Network Name (SSID) in their list of available networks.
  • Disabled — Users must manually enter the Wireless Network Name (SSID) to connect.
Note: Even if you disable SSID broadcast, anyone within range can discover your wireless network with detection tools widely available on the Internet.
MAC Address Type
  • Hardware — The MAC address of the appliance’s wireless card.
    Note: The first SSID Interface is automatically assigned the MAC address of the wireless card.
  • Custom — Enter the custom MAC address in the MAC Address field.
MAC Address

(When MAC Address Type is Custom)

Enter the custom MAC address.
Zone

(Optional)

Select the network zone to which the interface belongs. Click Select to select an element, or click New to create an element.
Comment

(Optional)

A comment for your own reference.
Option Definition
QoS Mode

(Optional)

Defines how QoS is applied to the link on this interface.

If Full QoS or DSCP Handling and Throttling is selected, a QoS policy must also be selected. If Full QoS is selected, the throughput must also be defined.

If the interface is a Physical Interface, the same QoS mode is automatically applied to any VLANs created under it.

QoS Policy

(When QoS Mode is Full QoS or DSCP Handling and Throttling)

The QoS policy for the link on this interface.

If the interface is a Physical Interface, the same QoS policy is automatically selected for any VLANs created under it.

Note: If a Virtual Resource has a throughput limit defined, the interfaces on the Virtual Engine that use a QoS policy all use the same policy. The policy used in the first interface is used for all the interfaces.
Interface Throughput Limit

(When QoS Mode is Full QoS)

Enter the throughput for the link on this interface as megabits per second.

If the interface is a Physical Interface, the same throughput is automatically applied to any VLANs created under it.

The throughput is for uplink speed (outgoing traffic) and typically must correspond to the speed of an Internet link (such as an ADSL line), or the combined speeds of several such links when connected to a single interface.

CAUTION:
Make sure that you set the interface speed correctly. When the bandwidth is set, the Engine always scales the total amount of traffic on this interface to the bandwidth you defined. This scaling happens even if there are no bandwidth limits or guarantees defined for any traffic.
CAUTION:
The throughput for a Physical Interface for a Virtual Engine must not be higher than the throughput for the Master Engine interface that hosts the Virtual Engine. Contact the administrator of the Master Engine before changing this setting.
Option Definition
Security tab
Security Mode
  • Disabled — Wireless traffic is not encrypted. Anyone within range can freely use and intercept traffic from this wireless network. We do not recommend using this setting.
  • WEP Open System — After the clients have connected to the Firewall, the wireless traffic is encrypted with a 40-bit or 104-bit WEP (Wired Equivalent Privacy/Wireless Encryption Protocol) key. We do not recommend this security mode. If you must use WEP for compatibility reasons, use WEP Shared Key.
    Note: Some wireless clients do not support the 802.11n wireless mode with the WEP security mode.
  • WEP Shared Key — The connecting clients are authenticated using WEP (Wired Equivalent Privacy/ Wireless Encryption Protocol). The wireless traffic is encrypted with a 40-bit or 104-bit key. We do not recommend this security mode unless you must use WEP for compatibility reasons.
    Note: Some wireless clients do not support the 802.11n wireless mode with the WEP security mode.
  • WPA Personal — Wireless traffic is encrypted using the WPA or WPA2 protocol. Three encryption modes are available: TKIP (Temporal Key Integrity Protocol), AES Advanced Encryption Standard), or both TKIP and AES.
  • WPA Enterprise — Same as WPA Personal, but RADIUS-based authentication methods provided by an external authentication server are used to authenticate the users. This option is the most secure, and it is recommended if external RADIUS authentication is available.
Key Length

(When Security Mode is WEP Open System or WEP Shared Key)

Select the encryption key length for WEP.
Default Key

(When Security Mode is WEP Open System or WEP Shared Key)

Select the encryption key to use by default for WEP.
Key

(When Security Mode is WEP Open System or WEP Shared Key)

Enter 1–4 decryption keys for WEP. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
WPA Mode

(When Security Mode is WPA Personal or WPA Enterprise)

Select the encryption mode to use for WPA.
Pre-Shared Key

(When Security Mode is WPA Personal)

Enter the pre-shared key for WPA Personal. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Authentication Method

(When Security Mode is WPA Enterprise)

Click Select to select the authentication method for WPA Enterprise.
Option Definition
MAC Filtering tab
MAC Filtering Mode
  • Disabled — Connecting clients are not filtered based on their MAC addresses.
  • Accept Unless in Denied MAC List — Clients whose MAC addresses are on the list of denied MAC addresses cannot connect.
  • Deny Unless in Allowed MAC List — Only clients whose MAC addresses are on the list of allowed MAC addresses can connect.
Click Add to add a row to the table, or Remove to remove the selected row.
Option Definition
DHCPv4 or DHCPv6 tab
DHCP Mode Select the DHCP mode:
  • Disabled — DHCP relay is disabled.
  • DHCP Relay — Enables DHCP relay on the interface.
  • DHCP Server (DHCPv4 only) — Activates the integrated DHCP server on the interface.
Option Definition
DHCPv4 or DHCPv6 tab, DHCPv4 Relay or DHCPv6 Relay settings

(When DHCP Mode is DHCPv4 Relay or DHCPv6 Relay)

Resources section. Add elements from this list to the list in the Content section. Click Add to add an element to the list, or Remove to remove the selected element. You can also drag and drop elements.
Filter Allows you to filter the elements shown.
Up Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools A menu that contains various options, such as for creating new elements or showing elements that have been moved to the Trash.
Max Packet Size Set the maximum allowed packet size.
DHCP Relay Select the CVI or IP address you want to use for DHCP relay.
Trusted Circuit When selected, DHCP relay agents that terminate switched or permanent circuits and can identify the remote host end of the circuit are allowed to add the Remote-ID option to the DHCP messages before relaying them.
Option Definition
DHCPv4 tab, DHCPv4 Server settings

(When DHCP Mode is DHCPv4 Server)

DHCP Address range Defines the DHCP address range that the Firewall assigns to clients in one of the following ways:
  • Select — Allows you to select an address range element.
  • Address — Allows you to enter a single IP address or an IP address range.
On Firewall Clusters, the DHCP address range is automatically divided between the nodes.
Note: The DHCP address range must be in the same network space defined for the Physical Interface. The DHCP address range must not contain the Firewall's NDI or CVI addresses or broadcast IP addresses of networks behind the Firewall.
Primary DNS Server Enter the primary DNS server IP address that clients use to resolve domain names.

If there is a listening IP address for DNS Relay on the same interface, clients use the DNS services provided by the firewall by default. If you want clients to use a different external DNS server, enter the IP address of the external DNS server.

Secondary DNS Server Enter the secondary DNS server IP address that clients use to resolve domain names.
Primary WINS Server Enter the primary WINS server IP address that clients use to resolve NetBIOS computer names.
Secondary WINS Server Enter the secondary WINS server IP address that clients use to resolve NetBIOS computer names.
Default Gateway Enter the IP address through which traffic from clients is routed.
Default Lease Time Enter the time after which IP addresses assigned to clients must be renewed.
Domain Name Search List

(Optional)

Enter a comma-separated Domain Name Search List to configure DNS search suffixes.
Override DHCP Ranges per Node

(Firewall Clusters only)

Enter the DHCP address range for each node.
CAUTION:
Enter unique ranges for each node. Overlapping ranges can cause IP address duplication.
Option Definition
Advanced tab

(All optional settings)

Override Engine's Default Settings When selected, the default settings of the Engine are overridden.
SYN Rate Limits
  • Default — The interface uses the SYN rate limits defined for the Engine on the Advanced Settings branch of the Engine Editor.
  • None — Disables SYN rate limits on the interface.
  • Automatic — This is the recommended mode if you want to override the general SYN rate limits defined on the Advanced Settings branch of the Engine Editor. The Engine calculates the number of allowed SYN packets per second and the burst size (the number of allowed SYNs before the Engine starts limiting the SYN rate) based on the Engine’s capacity and memory size.
  • Custom — Enter the values for Allowed SYNs per Second and Burst Size.
Allowed SYNs per Second Defines the number of allowed SYN packets per second.
Burst Size The number of allowed SYNs before the Engine starts limiting the SYN rate.

We recommend that you set the burst size to be at least one tenth of the Allowed SYNs per Second value. If the burst size is too small, SYN rate limits do not work. For example, if the value for Allowed SYNs per Second is 10000, set the value for Burst Size to at least 1000.

Enable Log Compression

By default, each generated Antispoofing and Discard log entry is logged separately and displayed as a separate entry in the Logs view. Log Compression settings allow you to define the maximum number of separately logged entries. When the defined limit is reached, a single antispoofing log entry or Discard log entry is logged. The single entry contains information about the total number of the generated Antispoofing log entries or Discard log entries. After this log entry, the logging returns to normal and all generated entries are once more logged and displayed separately. Log Compression is useful when the routing configuration generates a large volume of antispoofing logs or the number of Discard logs becomes high.

For each event type, Antispoofing or Discard, you can define:
  • Log Rate (Entries/s) — The maximum number of entries per second. The default value for antispoofing entries is 100 entries/s. By default, Discard log entries are not compressed.
  • Burst Size (Entries) — The maximum number of matching entries in a single burst. The default value for antispoofing entries is 1000 entries. By default, Discard log entries are not compressed.
Set to Default Returns all changes to the log compression settings to the default settings.
Send IPv6 Router Advertisements Select and specify what configuration information is offered in the Router Advertisement messages to devices that connect to the same network as the firewall.
Managed address configuration When selected, the router advertisement messages that the Firewall sends instruct the hosts to use the DHCPv6 protocol to acquire IP addresses and other configuration information.
Other configuration When selected, the router advertisement messages that the Firewall sends instruct the hosts to acquire the IPv6 prefix and the default route information from the router advertisement messages, and to use the DHCPv6 protocol to acquire other configuration information (such as DNS server addresses).