System communication interfaces for Master NGFW Engines
Physical Interfaces correspond to network ports on the Master NGFW Engine. By default, the numbering of the Physical Interfaces in the Management Client corresponds to the operating system interface numbering on the engine. For example, Interface ID 0 is mapped to eth0, and Interface ID 1 is mapped to eth1. However, the mapping is not fixed and you can change it through the NGFW Engine command line.
The types of Physical Interfaces that you can define for the Master NGFW Engine system communications depend on the role of the hosted Virtual NGFW Engines:
| Role | Interface Type | Explanation |
|---|---|---|
| Virtual Firewall | None | Corresponds to a single network interface on the Master NGFW Engine appliance. |
| Aggregated Link in High Availability Mode | Represents two interfaces on the Master NGFW Engine appliance. Only the first interface in the aggregated link is actively used. The second interface becomes active only if the first interface fails. If you configure an Aggregated Link in High Availability mode, connect the first interface to one switch and the second interface to another switch. |
|
| Aggregated Link in Load Balancing Mode | Represents up to eight interfaces on the Master NGFW Engine appliance. All interfaces in the aggregated link are actively used and connections are automatically balanced between the interfaces. Link aggregation in the Load Balancing Mode is implemented based on the IEEE 802.3ad Link Aggregation standard. If you configure an Aggregated Link in Load Balancing Mode, connect all interfaces to a single switch. Make sure that the switch supports the Link Aggregation Control Protocol (LACP) and that LACP is configured on the switch. |
|
| Virtual IPS | Normal Interface | Corresponds to a single network interface on the Master NGFW Engine appliance. Only Normal Interfaces can be used for Master NGFW Engine system communications when the hosted Virtual NGFW Engines are in the Virtual IPS role. |
| Virtual Layer 2 Firewall | Normal Interface | Corresponds to a single network interface on the Master NGFW Engine appliance. Only Normal Interfaces can be used for Master NGFW Engine system communications when the hosted Virtual NGFW Engines are in the Virtual Layer 2 Firewall role. |
If the Master NGFW Engine is a cluster, it is recommended to add at least two layer 3 Physical Interfaces for the Master NGFW Engine:
- An interface for communications between the Management Server and the Master NGFW Engine. Note: We recommend that you do not use the IP address of an Aggregated Link interface as the primary or secondary control IP address of the NGFW Engine.
- An interface for the heartbeat communications between the Master NGFW Engine nodes. The heartbeat traffic is critical to the functioning of the cluster, so it is highly recommended to have a dedicated physical
interface as the heartbeat interface.
You cannot use a shared interface as a heartbeat interface.