Select system communication roles for Firewall Cluster interfaces

Select which IP addresses are used for particular roles in system communications.

For example, you can select which IP addresses are used in communications between the Firewall Cluster and the Management Server.

The interfaces you have defined are shown as a tree-table on the Interfaces tab. Global interface options have codes in the tree-table.
Table 1. Interface option codes
Code Description
A The interface that has the IP address used as the identity for authentication requests.
C The interfaces that have the primary and backup control IP addresses.
H The primary and backup heartbeat Interfaces.
O The default IP address for outgoing connections.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the navigation pane on the left, select Interfaces > Interface Options.
  2. Select the interface options.
    1. From the Primary control IP address drop-down list, select the primary control IP address that the Firewall Cluster uses for communications with the Management Server.
    2. (Optional, recommended) In the Backup control IP address drop-down list, select a backup control IP address that the Firewall Cluster uses for communications with the Management Server if the primary control IP address fails.
    3. If the Firewall Cluster's primary control IP address and backup control IP address are dynamic or if the Firewall Cluster is in an environment where only the Firewall Cluster can initiate connections to the Management Server, select Node-initiated contact to Management Server.
      When this option is selected, the Firewall Cluster opens a connection to the Management Server and maintains connectivity.
    4. From the Primary heartbeat drop-down list, select the primary interface for communications between the nodes.
      We recommend using a physical interface, not a VLAN interface. We strongly recommend that you do not direct any other traffic through this interface. A dedicated network (without other traffic) is recommended for security and reliability of heartbeat communication.
      CAUTION:
      Primary and backup heartbeat networks exchange confidential information. If dedicated networks are not possible, configure the cluster to encrypt the exchanged information.
    5. From the Backup heartbeat drop-down list, select the backup heartbeat interface that is used if the primary heartbeat interface is unavailable.
      It is not mandatory to configure a backup heartbeat interface, but we strongly recommend it. If heartbeat traffic is not delivered, the cluster cannot operate and traffic is disturbed. We strongly recommend that you use a dedicated interface for the backup heartbeat as well.
    6. From the Identity for Authentication Requests drop-down list, select the IP address that identifies the firewall to external authentication servers.
      Note: This selection has no effect on routing.
    7. (Optional) From the Source for Authentication Requests drop-down list, select the IP address that identifies the firewall when it sends an authentication request to an external authentication server over a VPN.
      Note: This selection has no effect on routing.
    8. From the Default IP Address for Outgoing Traffic field, select the IP address that the nodes use if they have to initiate connections through an interface that has no Node Dedicated IP address.
  3. Click Save.

Next steps

Continue the configuration in one of the following ways:
  • If an interface used for external connections has only a Cluster Virtual IP address, add manual ARP entries for the nodes.
  • Bind the engine licenses to the nodes in the Firewall Cluster.