Network Interface Configuration

The Interfaces section displays all physical and virtual network interfaces existing in the system and allows you to modify their settings and add VLAN interfaces. All interfaces of each cluster node are displayed here. The interface settings are node-specific --- that is, they are not global.

Using the Edit button, you can modify the settings for a network interface:

  • Enable or disable the interface

  • Specify the interface type as Layer 3 or Mirror. An interface operating in the Layer 3 mode can be assigned an IP address and used in firewall rules, content filtering, and other rules. This is the standard operating mode of a network interface. An interface operating in the Mirror mode can receive traffic from a SPAN port of network equipment for subsequent analysis.

  • Assign a zone to the interface

  • Assign a Netflow profile to send statistics to a Netflow collector.

  • Assign a profile for sending data using the Link Layer Discovery Protocol (LLDP). Available only for adapter type interfaces.

  • Assign an alias, which is an additional identifier for an interface. This optional setting is used for working with SNMP.

  • Modify the physical parameters of the interface, such as the MAC address and MTU size.

  • Select the IP address assignment type: no address, a static IP address, or a dynamic IP address obtained using DHCP.

  • Configure DHCP relay for the selected interface. To do this, you need to enable DHCP relay, enter the IP address of the interface on which the relay is added in the UserGate address field, and specify one or more DHCP servers where client DHCP requests are to be forwarded.

Using the Add button, you can add the following logical interface types:

  • VLAN

  • Bond.

  • Bridge

  • PPPoE

  • VPN

  • Tunnel.

Creating a VLAN Interface

Using the Add VLAN button, the administrator can create sub-interfaces. To create a VLAN, provide the following settings:

Name

Description

Enabled

Enables the VLAN.

Name

The VLAN name. Assigned automatically based on the physical port name and the VLAN tag.

Description

An optional interface description.

Type

Specify the interface type as Layer 3 or Mirror. An interface operating in the Layer 3 mode can be assigned an IP address and used in firewall rules, content filtering, and other rules. This is the standard operating mode of a network interface. An interface operating in the Mirror mode can receive traffic from a SPAN port of network equipment for subsequent analysis.

VLAN tag

The sub-interface number. Up to 4094 interfaces can be created.

Node name

The node name in the cluster where this VLAN is being created.

Interface

The physical interface on which the VLAN is being created.

Zone

The zone to which the VLAN belongs.

Netflow profile

The Netflow profile to send statistical data to the Netflow collector. You can read about Netflow profiles in the Netflow Profiles chapter.

Alias

An alternative interface name assigned by the administrator. This optional setting is used for working with SNMP. The value is a string with a length of up to 64 characters.

Important! Cyrillic characters are not allowed in the value.

Networking

The IP address assignment method: no address, a static IP address, or a dynamic IP address obtained using DHCP.

DHCP relay

Configure DHCP relay for a VLAN interface. Enable DHCP relay, enter the IP address of the interface on which the relay function is added in the UserGate address field, and specify one or more DHCP servers where client DHCP requests are to be forwarded.

Bonding Network Interfaces

Using the Add bond button, the administrator can bond several physical network interfaces into a single aggregated logical interface to increase the bandwidth or provide high availability. To create a bond, provide the following settings:

Name

Description

Enabled

Enables the bond.

Name

The bond name.

Node name

The NGFW cluster node on which the bond will be created.

Zone

The zone to which the bond belongs.

Netflow profile

The Netflow profile to send statistical data to the Netflow collector. You can read about Netflow profiles in the Netflow Profiles chapter.

Alias

An alternative interface name assigned by the administrator. This optional setting is used for working with SNMP. The value is a string with a length of up to 64 characters.

Important! Cyrillic characters are not allowed in the value.

Interfaces

One or more network interfaces that will be used to create the bond.

Aggregation mode

The aggregation mode must match the operating mode for the device to which the bond is connected. The options are:

  • Round robin. Packets are sent consecutively, starting from the first available slave and continuing to the last one. This policy is used to provide load balancing and high availability.

  • Active backup. Only one network interface in the bond will be active. Another slave interface can become active only if the currently active interface fails. With this policy, the MAC address of the bond interface is only visible externally through one network port to avoid problems with the switch. This policy is used for high availability.

  • XOR. Transmission is distributed between the slave interfaces using the formula: [( XOR ) MOD ]. This means that the same NIC sends packets to the same recipients. Optionally, the transmission allocation can also be based on the xmit_hash policy. The XOR policy is used to provide load balancing and high availability.

  • Broadcast. Transmits everything on all network interfaces. This policy is used for high availability.

  • IEEE 802.3ad. The default mode, supported by most network switches. Creates aggregated groups of NICs with identical speed and duplex settings. When combined like this, all links in the active aggregation participate in transmission as per IEEE 802.3ad. The choice of interface for packet transmission is determined by the policy. By default, the XOR policy is used, with the xmit_hash policy as a possible alternative.

  • Adaptive transmit load balancing. The outgoing traffic is distributed depending on the load on each slave interface (determined by the download speed). No additional configuration on the switch is required. The incoming traffic is received by the current network card. If this card fails, another card assumes the MAC address of the failed one.

  • Adaptive load balancing. Includes the previous policy plus incoming traffic balancing. No additional configuration on the switch is required. The incoming traffic is balanced through ARP negotiation. The driver intercepts ARP responses sent from the local NICs to the outside and overwrites the source MAC address with one of the unique MAC addresses of the NIC in the bond. Thus, different peers use different server MAC addresses. The incoming traffic is balanced sequentially (round-robin) among the interfaces.

MII monitoring period (msec)

Sets the MII monitoring period in milliseconds. Determines how often the link state will be checked for failures. The default value of 0 disables MII monitoring.

Down delay (msec)

Sets the delay in milliseconds before disabling the interface on a connection failure. This option is only valid for MII monitoring (miimon). The parameter value must be a multiple of miimon, otherwise it will be rounded to the nearest multiple. Default value: 0.

Up delay (msec)

Sets the delay in milliseconds before bringing up the link on discovering that it has been restored. This parameter is only valid with MII monitoring (miimon). The parameter value must be a multiple of miimon, otherwise it will be rounded to the nearest multiple. Default value: 0.

LACP rate

Determines the interval between LACPDU packets sent by the partner in the 802.3ad mode. Enumerated options:

  • Slow: requests that the partner send LACPDU packets every 30 seconds.

  • Fast: requests that the partner send LACPDU packets every second.

Failover MAC

Determines how MAC addresses will be assigned to the bonded slaves in the active-backup mode on switching between slaves. The normal behavior is to use the same MAC address on all slaves. Enumerated options:

  • Disabled: sets the identical MAC address on all slaves during the switching process.

  • Active: the MAC address on the bond interface will always be identical to that on the currently active slave. The MAC addresses on the backup interfaces are not changed. The MAC address on the bond interface changes during the failover processing.

  • Follow: the MAC address on the bond interface will be the same as that on the first slave added to the bond. This MAC is not set on the second and subsequent interfaces while they are in backup mode. That MAC address gets assigned during a failover: when a backup slave interface becomes active, it assumes a new MAC (the one on the bond interface), and the formerly active slave is assigned the MAC that the currently active one used to have.

Xmit hash policy

Determines the hash policy for packet transmission via bonded interfaces in the XOR or IEEE 802.3ad modes. Enumerated options:

  • Layer 2: only MAC addresses are used for hash generation. With this algorithm, the traffic for a particular network host is always sent over the same interface. This algorithm is compatible with IEEE 802.3ad.

  • Layer 2+3: both MAC and IP addresses are used for hash generation. This algorithm is compatible with IEEE 802.3ad.

  • Layer 3+4: IP addresses and transport-layer protocols (TCP or UDP) are used for hash generation. This algorithm is not universally compatible with IEEE 802.3ad, as both fragmented and non-fragmented packets can be transmitted within a single TCP or UDP interaction. Fragmented packets lack the source and destination ports. As a result, packets from the same session can reach the recipient in an order other than the intended one because they are sent via different slaves.

Networking

The IP address assignment method: no address, a static IP address, or a dynamic IP address obtained using DHCP.

DHCP relay

This is used to configure DHCP relay for the bond interface. Enable DHCP relay, enter the IP address of the interface on which the relay function is added in the UserGate address field, and specify one or more DHCP servers where client DHCP requests are to be forwarded.

Interface Bridging

A network bridge works at the link layer (L2) of the OSI networking model. When the bridge receives a network frame, it checks the frame's MAC address and, if the MAC does not belong to the same subnet, passes (forwards) this frame to the network segment for which it was destined; if the frame belongs to the same subnet, the bridge does nothing.

An interface bridge can be used in NGFW like a regular network interface. Moreover, you can use a bridge to configure in-transit content filtering at L2 without introducing any changes to the corporate IT infrastructure. The simplest schema for using NGFW as an L2 content filtering solution looks like this:

image3

Figure 4 - Using a bridge

When creating a bridge, you can specify the operating mode for it as Layer 2 or Layer 3.

Note You cannot use L2 and L3 bridges on NGFW devices at the same time. This is an architectural limitation.

If Layer 2 is selected, the bridge does not need to be assigned an IP address, routes, or gateways for it to work correctly. In this mode, the bridge works at the MAC address level by forwarding packets from one network segment to another. SCADA and Mail security rules cannot be used in this scenario, but content filtering works.

Important! The DNS filtering and L2 bridge functionality are not compatible in the current version: when DNS filtering is enabled, DNS requests stop passing through the bridge.

If Layer 3 is selected, you need to assign the bridge an IP address and specify routes in networks connected to the bridge's interfaces. In this mode, all filtering mechanisms available in NGFW can be used.

If the bridge is created in a NGFW HSC equipped with a network card that supports the bypass mode, you can combine two interfaces into a bypass bridge. A bypass bridge automatically switches the two selected interfaces to the bypass mode (bridging them so that all traffic bypasses NGFW) if:

  • The NGFW HSC is powered off.

  • The self-diagnostics system has encountered a runtime problem in NGFW software.

For more details on the network interfaces that support the bypass mode, see the NGFW HSC hardware specifications.

Using the Add bridge button, the administrator can combine several physical interfaces into a new type of interface, a bridge. Provide the following settings:

Name

Description

Enabled

Enables the interface bridge.

Name

The interface name.

Node name

The NGFW cluster node on which the interface bridge is being created.

Type

Specify the interface type as Layer 3 or Layer 2.

Zone

The zone to which the interface bridge belongs.

Netflow profile

The Netflow profile to send statistical data to the Netflow collector. You can read about Netflow profiles in the Netflow Profiles chapter.

Alias

An alternative interface name assigned by the administrator. This optional setting is used for working with SNMP. The value is a string with a length of up to 64 characters.

Important! Cyrillic characters are not allowed in the value.

Bridge interfaces

The two interfaces that will be used to build the bridge.

Bypass bridge interfaces

The interface pair that will be used to build a bypass bridge. NGFW HSC support is required.

STP (Spanning Tree Protocol)

Enables the use of STP to prevent network loops.

Forward delay

The delay before the bridge switches to the active (forwarding) mode if STP is enabled.

Maximum age

The time after which an STP connection is considered lost.

Networking

The IP address assignment method: no address, a static IP address, or a dynamic IP address obtained using DHCP.

DHCP relay

This is used to configure DHCP relay for the bridge interface. Enable DHCP relay, enter the IP address of the interface on which the relay function is added in the UserGate address field, and specify one or more DHCP servers where client DHCP requests are to be forwarded.

PPPOE Interface

PPPoE (Point-to-point protocol over Ethernet) is a link-layer network protocol for PPP frame transmission via Ethernet. Using the Add button, the administrator can create a PPPoE interface by selecting Add PPPoE. To create the interface, provide the following settings:

Name

Description

Enabled

Enables the PPPoE interface.

Node name

The NGFW cluster node on which the PPPoE interface is being created.

Interface

Specify the network interface on which the PPPoE interface will be created.

Zone

The zone to which the PPPoE interface belongs.

Netflow profile

The Netflow profile to send statistical data to the Netflow collector. You can read about Netflow profiles in the Netflow Profiles chapter.

Alias

An alternative interface name assigned by the administrator. This optional setting is used for working with SNMP. The value is a string with a length of up to 64 characters.

Important! Cyrillic characters are not allowed in the value.

MTU

The MTU size. Set by default to a value of 1492 bytes compatible with the standard Ethernet frame size.

Login name

The username for the PPPoE connection.

Password

The password for the PPPoE connection.

Persist connection

Enables automatic reconnection on connection loss.

Authentication type

The authentication protocols used in PPP:

  • CHAP: Challenge Handshake Authentication Protocol, an authentication protocol (algorithm) with three-way handshaking. It avoids transmitting the user password itself by sending certain derived information instead.

  • PAP: Password Authentication Protocol, a simple authentication protocol that involves transmitting the username and password to the remote access server in plain text (without encryption).

Holdoff interval (sec.)

The time interval in seconds before re-connecting on a connection loss.

Default route

Sets the PPPoE interface as the default route.

LCP echo interval (sec.)

The time interval between periodic connection checks.

Number of LCP echo failures

The number of LCP echo failures after which NGFW considers the connection lost and terminates it.

Use provider's DNS

If this option is enabled, NGFW uses your provider's DNS servers.

Number of connection attempts

The number of failed connection attempts after which the automatic retries will stop.

PPPoE service

The service name should be specified here if given to you by the provider. If a service name is not used, the field should be left empty.

VPN Interface

A VPN interface is a virtual network adapter that will be used to connect VPN clients. This is a cluster-type interface, which means that it will be created automatically on all NGFW nodes included in a configuration cluster. If an HA cluster exists, in case any problems are identified with the active server, VPN clients will be automatically switched to a backup server, and without terminating existing VPN connections.

In the Network ➜ Interfaces section, click Add and select Add VPN. Provide the following settings:

Name

Description

Name

The interface name. Should be in the form of tunnelN, where N is the ordinal number of the VPN interface.

Description

Interface description.

Zone

The zone to which this interface will belong. All clients with a VPN connection to NGFW will be placed in the same zone.

Netflow profile

The Netflow profile to send statistical data to the Netflow collector. You can read about Netflow profiles in the Netflow Profiles chapter.

Alias

An alternative interface name assigned by the administrator. This optional setting is used for working with SNMP. The value is a string with a length of up to 64 characters.

Important! Cyrillic characters are not allowed in the value.

Aggregation mode

The IP address assignment type. The options are no address, a static IP address, or a dynamic IP address obtained using DHCP. If the interface is to be used for accepting VPN connections (Site-2-Site VPN or Remote access VPN), a static IP address must be used. To use an interface as a client, select the dynamic mode.

MTU

The MTU size for the selected interface.

The system has three predefined VPN interfaces by default:

  • tunnel1, recommended for a Remote access VPN

  • tunnel2, recommended for the server side of a Site-to-Site VPN

  • tunnel3, recommended for the client side of a Site-to-Site VPN.

Tunnel Interface

A tunnel interface is a virtual network adapter that can be used to create a point-to-point connection via an IP network. The following types of tunnel interfaces are supported:

  • GRE: a network packet tunneling protocol developed by Cisco Systems. Its main purpose is to encapsulate network layer packets into IP packets. The IP protocol number is 47.

  • IPIP: an IP tunneling protocol that encapsulates an IP packet into another IP packet. Encapsulating one IP packet in another IP packet adds an external header with Source IP which is the entry point into the tunnel, and Destination IP which is the exit point from the tunnel.

  • VXLAN: a protocol for tunneling Layer 2 Ethernet frames into UDP packets. Uses port 4789.

To create a tunnel interface, in the Network ➜ Interfaces section, click Add and select Add tunnel. Provide the following settings:

Name

Description

Enabled

Enable or disable the interface.

Name

The interface name. Should be in the form greN, where N is the ordinal number of the tunnel interface.

Description

Interface description.

Zone

The zone to which this interface will belong.

Alias

An alternative interface name assigned by the administrator. This optional setting is used for working with SNMP. The value is a string with a length of up to 64 characters.

Important! Cyrillic characters are not allowed in the value.

Aggregation mode

The tunnel's operating mode: GRE, IPIP, or VXLAN.

MTU

The MTU size for the selected interface.

Local IP

The local address of the point-to-point interface.

Remote IP

The remote address of the point-to-point interface.

Interface IP

The IP address assigned to the tunnel interface.

VXLAN ID

The VXLAN ID. Relevant only for a VXLAN tunnel.

Loopback Interface

To create a loopback interface, in the Network ➜ Interfaces section, click Add and select Add loopback interface. Provide the following settings:

Name

Description

Enabled

Enables the interface.

Name

Interface name in the loopbackN form, where N is an integer.

Description

An optional interface description.

Node name

Select an NGFW cluster node where the interface is created.

Type

Specify the interface type as Layer 3 or Layer 2.

Zone

The zone to which the interface belongs.

Netflow profile

The Netflow profile to send statistical data to the Netflow collector. You can read about Netflow profiles in the Netflow Profiles chapter.

LLDP profile

LLDP profile to send data using Link Layer Discovery Protocol (LLDP).

Alias

An alternative interface name assigned by the administrator. This optional setting is used for working with SNMP. The value is a string with a length of up to 64 characters.

Important! Cyrillic characters are not allowed in the value.

Networking

The IP address assignment method: no address, a static IP address, or a dynamic IP address obtained using DHCP.

DHCP relay

Settings for the DHCP relay on the interface. Enable DHCP relay, enter the IP address of the interface on which the relay function is added in the UserGate address field, and specify one or more DHCP servers where client DHCP requests are to be forwarded.