Add layer 3 physical interfaces to Firewall Clusters

To route traffic through the Firewall Cluster, you must define at least two layer 3 physical interfaces.

We recommend defining at least two interfaces for the Firewall Cluster:
  • An interface used for communications between the Management Server and the Firewall.
  • An interface for the heartbeat communications between the cluster nodes. The heartbeat traffic is critical to the functioning of the cluster, so it is highly recommended to have a dedicated heartbeat interface.

Although you can configure more interfaces at any later time, it is simplest to add more interfaces right away. This action allows traffic to be routed through the Firewall. You can use the Cluster installation worksheet to document the interfaces.

There are three types of layer 3 physical interfaces on Firewall Clusters:
  • An interface that corresponds to a single network interface on each node in the Firewall Cluster. In the Management Client, the interface type is None.
  • An aggregated link in high availability mode represents two interfaces on each node. Only the first interface in the aggregated link is actively used. The second interface becomes active only if the first interface fails.

    Connect the first interface in the link to one external switch and the second interface to another external switch.

  • An aggregated link in load balancing mode represents two or more interfaces (up to eight interfaces) on each node. All interfaces in the aggregated link are actively used and connections are automatically balanced between the interfaces.

    Link aggregation in load-balancing mode is implemented based on the IEEE 802.3ad Link Aggregation standard. Connect all interfaces to a single external switch. Make sure that the switch supports the Link Aggregation Control Protocol (LACP) and that LACP is configured on the switch.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the navigation pane on the left, browse to Interfaces.
  2. Select Add > Layer 3 Physical Interface.
  3. From the Interface ID drop-down list, select an interface ID number.
    This ID maps to a network interface during the initial configuration of the engine.
  4. From the Type drop-down list, select the interface type.
  5. If the type is Aggregated Link, select one or more other interfaces that belong to the aggregated link.
    • For an aggregated link in high availability mode, select an interface ID from the Second Interface ID drop-down list.
    • For an aggregated link in load balancing mode, click Add to add one or more interface IDs to the Additional Interface(s) list.
  6. Leave Packet Dispatch selected as the CVI Mode, then enter a MAC Address with an even number as the first octet.
    Important: This MAC address must not belong to any actual network card on any of the nodes.
    • Packet Dispatch is the primary clustering mode in new installations.
    • Different CVI modes can be used for different interfaces of a Firewall Cluster without limitations.
    Note: All CVI addresses that are defined for the same physical interface must use the same unicast MAC address. The dispatcher nodes use the MAC address you define here. Other nodes use their network card’s MAC address.
  7. (Optional) In the MTU field, enter the MTU value if this link requires a lower MTU than the Ethernet-default 1500.
  8. Click OK.
  9. Click Save.
    Do not close the Engine Editor.

Result

The layer 3 physical interface is added to the interface list.

Next steps

Add VLAN interfaces or IP addresses to the layer 3 physical Interface.