Add logical interfaces
Logical interface elements allow you to group interfaces together according to network segment and interface type.
Logical interfaces are used in the configuration of the following types of interfaces to represent one or more network interfaces:
- Capture interfaces on Firewalls, IPS Engines, and Layer 2 Firewalls
- Inline interfaces on IPS engines and Layer 2 Firewalls
- Inline IPS interfaces on Firewalls
- Inline Layer 2 Firewall interfaces on Firewalls
You cannot use the same logical interface to represent both capture interfaces and inline interfaces on the same engine. On Firewalls, you cannot use the same logical interface to represent both inline IPS interfaces and inline Layer 2 Firewall interfaces. Otherwise, a logical interface can represent any number or combination of physical interfaces or VLAN Interfaces.
There is one predefined logical interface element called default_eth. If you want to create both capture interfaces and inline interfaces on the same Engine, you must add at least one more logical interface.
On IPS engines and Layer 2 Firewalls, a logical interface element called System Communications is automatically assigned to interfaces that have an IP address that is used as the primary or backup Control IP address. You can use the System Communications logical interface to represent all Control IP addresses in IPS and Layer 2 Firewall Policies.
You can use logical interfaces in IPS Policies, Layer 2 Firewall Policies, and Layer 2 Interface Policies to limit the scope of your rules. You can use logical interfaces to create rules that match based on which interface the traffic was picked up from. For example, you can create a different logical interface for each VLAN and use them to create rules that apply only to traffic from a specific VLAN.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Select Configuration.
- Browse to Other Elements.
- Right-click Logical Interfaces, then select New Logical Interface.
- Configure the settings, then click OK.
Logical Interface Properties dialog box
Use this dialog box to define the properties of a Logical Interface.
Option | Definition |
---|---|
Name | The name of the element. |
Comment (Optional) |
A comment for your own reference. |
View interface as one LAN |
When selected, the engine treats VLANs associated with the Logical Interface as a single LAN. We recommend selecting this option only for capture interfaces in IDS deployments. Note: Selecting this option for inline interfaces can cause the Engine to treat the TCP time stamp of some TCP packets as
invalid and drop TCP packets in some environments. The Engine might consider the TCP time stamp invalid if the same
traffic passes through the Engine multiple times through the same inline interface.
|