Add IP addresses to Firewall Cluster interfaces
To route traffic through the firewall, each Firewall Cluster interface must have at least two IP addresses.
Firewall Clusters can have two types of IP addresses.
Interface type | Description | When to use it |
---|---|---|
Cluster Virtual IP address (CVI) |
An IP address that is used to handle traffic routed through the cluster for inspection. All nodes in a cluster share this IP address. Allows other devices to communicate with the Firewall Cluster as a single entity. |
Define a CVI for the interface if traffic that the firewall inspects is routed to or from the interface. |
Node Dedicated IP address (NDI) |
An IP address that is used for traffic to or from an individual node in a cluster. Each node in the cluster has a specific IP address that is used as the NDI. Used for the heartbeat connections between the engines in a cluster, for control connections from the Management Server, and other traffic to or from individual nodes. |
Define at least two NDIs: one for management connections and one for the heartbeat traffic between the nodes. We recommend that you define an NDI for each interface that has a CVI, if practical. Some features might not work reliably without an NDI. |
You can define several CVIs and NDIs on the same physical interface or VLAN interface. A physical interface or a VLAN interface can have only a CVI or only an NDI.
IPv6 addresses are supported on Firewall Clusters with dispatch clustering mode. IPv6 and IPv4 addresses can be used together on the same Firewall Cluster.