Add layer 3 physical interfaces to Master NGFW Engines

Master NGFW Engines can have two types of physical interfaces: interfaces for the Master NGFW Engine’s own communications, and interfaces that are used by the Virtual NGFW Engines hosted on the Master NGFW Engine.

You must add at least one physical interface for the Master NGFW Engine’s own communications.

For Master NGFW Engine clusters, it is recommended to add at least two physical interfaces:
  • An interface used for communications between the Management Server and the Master NGFW Engine.
  • An interface for the heartbeat communications between the cluster nodes. The heartbeat traffic is critical to the functioning of the cluster, so it is highly recommended to have a dedicated heartbeat interface.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click the Master NGFW Engine element, then select Edit <element type>.
  2. In the navigation pane on the left, browse to Interfaces.
  3. Click Add, then select Layer 3 Physical Interface.
  4. (Interface for Master NGFW Engine communications only) Define the physical interface properties.
    1. From the Type drop-down list, select the interface type according to the engine role.
    2. Do not select a Virtual Resource for an interface that is used for the Master NGFW Engine’s own communications.
    3. In the Cluster MAC Address field, enter the MAC address for the Master NGFW Engine.
      Note: Do not use the MAC address of any actual network card on any of the Master NGFW Engine nodes.
    Note: Make sure that you set the interface speed correctly. When the bandwidth is set, the Master NGFW Engine always scales the total amount of traffic on this interface to the bandwidth you defined. The bandwidth is scaled even if there are no bandwidth limits or guarantees defined for any traffic.
  5. (Interface for hosted Virtual NGFW Engine communications only) Define the physical interface properties.
    1. From the Type drop-down list, select the interface type according to the engine role.
    2. (Virtual IPS only) From the Failure Mode drop-down list, select how traffic to the inline interface is handled if the Virtual IPS engine goes offline.
      Note: If there are VLAN interfaces under the inline interface, select Bypass.
      CAUTION:
      Using Bypass mode requires the Master NGFW Engine appliance to have a fail-open network interface card. If the ports that represent the pair of inline interfaces on the appliance cannot fail open, the policy installation fails on the Virtual IPS engine. Bypass mode is not compatible with VLAN retagging. In network environments where VLAN retagging is used, normal mode is automatically enforced.
    3. From the Virtual Resource drop-down list, select the Virtual Resource element associated with the interface.
      Select the same Virtual Resource in the properties of the Virtual NGFW Engine to add the Virtual IPS engine to the Master NGFW Engine.
      Note: Only one Virtual Resource can be selected for each physical interface. If you want to add multiple Virtual Resources, add VLAN interfaces to the physical interface and select the Virtual Resource in the VLAN interface properties.
  6. Click OK.
    The physical interface is added to the interface list.
  7. Click Save.

Next steps

Continue the configuration in one of the following ways:
  • Add VLANs to physical interfaces.
  • Add IP addresses to the physical interfaces used for Master NGFW Engine communications.