Types of interfaces for Master NGFW Engines in the Firewall/VPN role

You can configure several types of interfaces for Master NGFW Engines in the Firewall/VPN role.

Table 1. Types of interfaces for Master NGFW Engines in the Firewall/VPN role
Interface type	Purpose of interface	Limitations
Layer 3 physical	System communications and traffic inspection.	You cannot add both VLAN Interfaces and IP addresses to a Physical Interface. If an IP address is already configured for a Physical Interface, adding a VLAN Interface removes the IP address. If you plan to use VLAN Interfaces, configure the VLAN Interfaces first and then add IP addresses to the VLAN Interfaces.
Layer 2 physical	Traffic inspection. Layer 2 interfaces on Master NGFW Engines in the Firewall/VPN role allow the engine to provide the same kind of traffic inspection that is available for Master NGFW Engines in the IPS and Layer 2 Firewall roles.	You cannot add IP addresses to layer 2 physical interfaces on Master NGFW Engines in the Firewall/VPN role. VLAN retagging is not supported on layer 2 physical interfaces of the inline IPS type.
VLAN	Divides a single physical interface into several virtual interfaces.	You cannot add VLAN interfaces on top of other VLAN Interfaces (nested VLANs).