Types of interfaces for Engines in the Firewall/VPN role

You can configure several types of interfaces for Engines in the Firewall/VPN role.

Table 1. Types of interfaces for Engines in the Firewall/VPN role
Interface type	Purpose of interface	Limitations
Layer 3 physical	System communications and traffic inspection.	You cannot add both VLAN Interfaces and IP addresses to a Physical Interface. If an IP address is already configured for a Physical Interface, adding a VLAN Interface removes the IP address. If you plan to use VLAN Interfaces, configure the VLAN Interfaces first and then add IP addresses to the VLAN Interfaces.
Layer 2 physical	Traffic inspection. Layer 2 interfaces on Engines in the Firewall/VPN role allow the engine to provide the same kind of traffic inspection that is available for Engines in the IPS and Layer 2 Firewall roles.	You cannot add layer 2 physical interfaces of the Inline Layer 2 Firewall type to Firewall Clusters in Load Balancing mode. Only Standby mode is supported. You cannot add IP addresses to layer 2 physical interfaces on Engines in the Firewall/VPN role. VLAN retagging is not supported on layer 2 physical interfaces of the inline IPS type.
VLAN	Divides a single physical interface into several virtual interfaces.	You cannot add VLAN interfaces on top of other VLAN Interfaces (nested VLANs). You cannot create valid VLAN Interfaces in a Virtual Engine if the Master Engine interface that hosts the Virtual Engine is a VLAN Interface.
ADSL	Represents the ADSL port of a purpose-built Engine appliance.	An ADSL Interface is only supported on Single Firewall engines that run on specific legacy Engine appliances that have an ADSL network interface card.
Modem (Single Firewalls only)	Represents a mobile broadband modem connected to a USB port on a purpose-built Engine appliance.	A Modem Interface is only supported on Single Firewall engines that run on specific Engine appliances. Modem Interfaces do not support VLAN tagging.
Tunnel	A logical interface that is used as an endpoint for tunnels in route-based VPNs.	Tunnel Interfaces can only have static IP addresses. Tunnel Interfaces do not support VLAN tagging.
VPN Broker	A specialized interface for use with the VPN Broker. For more information about VPN Broker, see the Forcepoint FlexEdge Secure SD-WAN Manager and VPN Broker Product Guide.	This type of interface is only supported for use with the VPN Broker.
Wireless (Single Firewalls only)	Represents a wireless network interface card of a purpose-built Engine appliance.	A Wireless Interface is only supported on Single Firewall engines that run on specific Engine appliances that have a wireless network interface card.
Switch (Single Firewalls only)	Represents the switch functionality on a purpose-built Engine appliance.	The switch functionality is only supported on Single Firewall engines that run on specific Engine appliances that have an integrated switch. The ports in the integrated switch do not support VLAN tagging or PPPoE. You cannot use ports on the integrated switch as the control interface.