Working with Interface Definitions

The General tab defines the network connections associated with an interface.

One or more of these properties show, depending on the context.

• Interface: Select a physical interface from the list (physical interfaces only).

• VLAN Tag: VLAN tag associated with the defined interface.

• IP Address and Net Mask: IP address and net mask of the device associated with the interface.

• Propagate route to adjacent Virtual Devices: Enable to "advertise" the associated device to neighboring devices, thereby enabling connectivity between them. See VSX Routing Concepts.

• MTU: Maximum transmission unit size in bytes (default = 1,500).

The General tab for interface connections leading to Virtual Routers or Virtual Switches contains connection properties specific to those Virtual Devices.

• Leads to: Select a Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR. or Virtual Switch Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical switch. Acronym: VSW..

• Enter the dedicated Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS.IP address for this interface.

• The Net Mask property is always defined as 255.255.255.255 for IPv4 and /128 for IPv6.

• Propagate route to adjacent Virtual Devices: Enable to "advertise" the associated device to neighboring devices, thereby enabling connectivity between them. See VSX Routing Concepts.

• MTU: Maximum transmission unit size in bytes (default = 1,500).

  The minimum and maximum MTU values are:

  • IPv6 MTU: 1280 - 16000

  • IPv4 MTU: 68 - 16000

For some interface types, you can change some or all of these topology properties:

• External: The interface leads to external networks or to the Internet.

• Internal: The interface leads to internal networks or a DMZ:

  • Not Defined: All IP addresses behind this interface are considered a part of the internal network that connects to this interface.

  • Network defined by the interface IP and Net Mask: Only the network that directly connects to this internal interface.

  • Network defined by routes: The Virtual System dynamically calculates the topology for this interface.

    Note - To see this option, you must clear the option Calculate topology automatically based on routing information in the Virtual System object.

  • Specific: A specific object (a Host, a Network, a Network Group, an Address Range).

  • Interface leads to DMZ: Defines an interface as leading to a DMZ, which isolates a vulnerable, externally accessible resource from the rest of a protected, internal network.

Attackers can gain access to protected networks by falsifying or "spoofing" a trusted source IP address with high access privileges. It is important to configure Anti-Spoofing protection for VSX Gateways and Virtual Systems, including internal interfaces. You can configure Anti-Spoofing for an interface, provided that the topology for the interface is properly defined.

If you are using dynamic routing, disable the Calculate topology automatically based on routing information option, and manually configure the topology of the Virtual System.

To enable Anti-Spoofing for an interface:

1. From the Topology tab in the Interface Properties window, select Perform Anti-Spoofing based on interface topology.

2. Configure the tracking options.

IP multicast applications send one copy of each datagram (IP packet) and address it to a group of computers that wish to receive it. Multicast restrictions allow you to define rules that block outbound datagrams from specific multicast groups (IP address ranges). You can define multicast access restrictions for physical and Warp interfaces in a VSX environment.

To enable multicast restrictions:

1. From the Multicast Restrictions tab in the Interface Properties window, select Drop multicast packets by the following conditions.

1. Select a restriction type:

   • Drop multicast packets whose destination is in the list

   • Drop all multicast packets except those whose destination is in the list

2. Click Add.

   The Add Object window opens.

3. Click New > Multicast Address Range.

   The Multicast Address Range Properties window opens.

4. Configure these settings:

   • Name

   • Type

   • If you selected IP Address Range, enter the First and Last IP addresses.

5. Click OK.

6. From the Interface Properties window, select a tracking option.

7. Click OK and close the General Properties window.

8. Add a rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. to the Access Control Policy that allows traffic for the specified multicast groups.