Configuring the Local Network

The Device view > Network section > Local Network page lets you set and enable the local network connections, switches, bridge or wireless network (on wireless devices only).

A bridge connects two or more local area networks (LANs). A switch is similar to a bridge but can perform data transmission between multiple port pairs at the same time.

Note - You can only configure a bridge between two unassigned interfaces.

The Network table shows all available network connections.

The page also lets you:

  • Configure multiple switches (port based VLANs) between the available local LAN interfaces and wireless networks. You can create tag-based VLANs under separate LAN ports and DMZ or under a LAN switch. Traffic is not monitored or inspected between the LAN ports of a switch.

  • Configure multiple bridges between interfaces. Traffic in a bridge is always monitored and inspected by the appliance.

  • Create and configure tag based VLANs (802.1q) on any of the LAN interfaces or DMZ.

    Note - DMZ is not supported in 1530 / 1550 appliances.

  • Create an alias IP. With an alias IP, you can associate more than one IP address to a network interface. A single network device can have multiple connections to a network.

  • Create and configure VPN tunnels (VTI) which can be used to create routing rules which determine which traffic is routed through the tunnel and therefore also encrypted (Route based VPN).

  • Create a BOND (Link Aggregation) between two or more interfaces. This improves performance and redundancy by increasing the network throughput and bandwidth. The LAN Bond can be an unassigned network.

  • On wireless devices - Add new wireless networks (Virtual Access Points). This can also be done through the Device > Wireless page.

    There are two radio transmitters: 2.4 GHz and 5 GHz. Each network is configured separately under a specified transmitter.

You can also use unassigned LAN ports to create an internet connection. In the table, these ports have the status Assigned to Internet.

Notes:

  • LAN ports assigned to internet connections can only be disabled from the Internet page.

  • You cannot edit a LAN port assigned to an internet connection. When you click Edit, the window opens, but when you click Apply, a warning shows that this deletes the connection.

  • When you create a bridge or switch surface, these LAN ports do not appear in the selection box as optional ports.

  • You cannot disable one of the switch ports. You can disable the switch or configure the requested port as unassigned.

To create any of the above options:

Click New and select the option you want.

To edit/delete/enable/disable any of the above options:

Select the relevant row and click Edit/Delete/Enable/Disable.

Notes:

  • Physical interfaces cannot be deleted.

  • Editing an interface that is part of a switch or a bridge lets you remove it from the switch or bridge.

  • When a LAN or DMZ interface is part of an Internet connection, it is still visible on this page, but can be only be configured through the Device > Internet page.

  • You must enable IPv6 in the System Operations tab.

For each network, the table on this page shows you:

  • Name - Name of the network, interfaces that participate (if there are multiple interfaces), and a description (optional)

  • Local IP Address

  • Subnet Mask

  • MAC Address

  • Status - Shows a status for physical interfaces and wireless networks:

    • Physical interfaces - Shows cable connection status of each physical interface that is enabled. Otherwise, it shows disabled.

    • Wireless networks - Shows if the wireless network is up or disabled.

Reserved IP Address for Specific MAC

You can configure your network so that IP addresses are assigned only for known hosts. Known hosts are already defined as network objects and a specific MAC address is assigned to the IP. Other hosts' DHCP requests are ignored.

To configure:

  1. Select the specific LAN name and click Edit or double-click the LAN name.

    The Edit LAN window opens.

  2. In the Configuration tab, click Enabled under DHCPv4 Server.

  3. In the DHCPv4 Settings tab, enter the DHCP domain name and click the checkbox for Assign IP addresses for known host only.

  4. Click Apply

Switch

A LAN Switch is a group of LAN ports (for example, LAN2, LAN3, LAN5) that are grouped together and represented by the "pivot" port (the port with lowest index, LAN2 in this example).

Note - Between the LAN ports of a switch, traffic is not monitored or inspected.

To create/edit a switch configure the fields in the tabs:

The 'Configuration' tab

  1. In Switch Configuration, select or clear the interfaces you want to be part of the switch. The table shows you which interfaces are already part of the switch (shown with checkmarks in the table) and which interfaces are not assigned yet and can be added to the switch (empty checkboxes in the table). For example, if LAN8 is already part of another switch, it does not show in this table.

  2. From Assigned to, select an option:

    • Unassigned - The switch is not part of any network and cannot be used

    • Separate network - When you select a separate network, configure the settings for the switch

    • Monitor Mode - See Monitor Mode

  3. Choose the IP address and Subnet mask the switch uses.

  4. Use Hotspot - Select this checkbox to redirect users to the HotspotClosed An area that offers a wireless local area network with Internet access, through a router connected to a link to an Internet service provider. portal before allowing access from this interface.

    You define the Hotspot configuration in the Device > Hotspot page.

  5. In DHCPv4 Server:

    Select one of the options:

    • Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specified IP addresses if you define network objects in the Users & Objects > Network Objects page. To reserve specified IP addresses, you must have the device MAC address.

    • Relay - Enter the DHCP server IP address. You can also enter a Secondary, Tertiary, and Quaternary DHCP server IP address.

    • Disabled

IPv6 Auto Assignment for IPv6 configurations

  • SLAAC (Stateless Address Autoconfiguration) - The host selects its own full IPv6 address after it receives the IPv6 address prefix from the gateway. The appliance cannot reserve an IPv6 address for a specific host (Mac Address).

    Note - The common use case is a prefix length of 64. If you change it from 64, make sure the internal hosts support the new length.

  • DHCPv6 Server - Same as the DHCPv4. You can reserve an IP address for a specified host.

  • DHCPv6 Server Relay - Same as in IPv4.

  • Disabled (Static)

WAN as LAN

In the appliance, the two SFP ports are associated with DMZ and WAN. DMZ can already be used for an internal-network, but WAN is reserved for internet-connections.

With this feature, you can use the WAN port, usually reserved for internet (external) connections, for LAN (internal) connections. Some users prefer using SFP (fiber) for internal-networks (LAN), as it is more reliable in an environment with high electrical power.

When assigned to a LAN, the WAN port can be used for any type of internal network except for a BOND network. The WAN port (like the DMZ port), can only be used for a BOND network as part of an internet (external) network.

The WAN as LAN feature is disabled by default.

To enable WAN as LAN:

  1. Go to Device > Advanced Settings and select OS advanced settings - Enable LAN on WAN.

  2. Click Edit to change the value to true.

The Device > Local Network page now shows WAN ports included in the list of LAN and DMZ (local interfaces, switches, bridges, bonds and VLANs).

  • When used for WAN networks, the interface name of the WAN port is WAN.

  • When used for LAN networks, the interface name of the WAN port is LANW.

Note - The WAN as LAN feature is the only supported solution for users who want to connect to the Internet using LAN ports. Make sure the interface is configured correctly.

Configuration parameters for WAN as LAN are similar to DMZ.

Monitor Mode

Security Gateways can monitor traffic from a Mirror Port or Span Port on a switch.

With Monitor Mode, the appliance uses Automatic Learning or user-defined networks to identify internal and external traffic, and to enforce policy.

Automatic Learning - The appliance automatically recognizes external networks by identifying the default gateway's network from requests to the Internet (specifically, requests to Google). The rest of the networks are considered internal.

User-Defined Networks - You can manually define internal networks. If a network is not defined as internal, it is considered external.

In both Automatic Learning and user-defined networks:

To configure monitor mode in the WebUI:

  1. Go to Device > Local Network.

  2. Select an interface and double-click.

    The Edit window opens in the Configuration tab.

  3. In the Assigned To drop-down menu, select Monitor Mode.

    The Manually define internal networks checkbox shows.

  4. To use Automatic Learning, do not select Manually define internal networks and click Apply.

  5. To use your own network definitions, select Manually define internal networks.

    The network definition features and table show.

  6. Click New.

  7. Enter the network IP address.

  8. Enter the subnet. An internal network can be a 255.255.255.255 subnet, for one host.

    For example, to monitor the traffic after the router, enter the IP address of the Default Gateway and the 255.255.255.255 subnet.

  9. Click Apply

    The Internal network you defined (with Monitor Mode in the name) shows in the list of interfaces.

Note - You can configure multiple local networks to be in monitor mode at the same time.

After you configure monitor mode:

  1. Go to Device > Advanced Settings.

  2. Turn off Anti-Spoofing.

To configure monitor mode in Gaia Clish:

  1. To define a port for Monitor Mode:

    set interface <Port Name> monitor-mode

  2. To configure Monitor Mode Automatic Learning, disable user-defined networks:

    set monitor-mode-configuration use-defined-networks false

  3. To configure Monitor Mode with user-defined networks:

    add monitor-mode-network ipv4-address <IP Address> subnet-mask <Mask>

    set monitor-mode-configuration use-defined-networks true

  4. To see user-defined Internal networks:

    show monitor-mode-network

  5. To disable Anti-Spoofing:

    set antispoofing advanced-settings global-activation false

If you do not see the Monitor Mode option:

  1. Run this command in Gaia ClishClosed The default shell of the Gaia CLI:

    set monitor-mode-configuration allow-monitor-mode true

  2. Select an interface in WebUI and click Edit.

    Monitor Mode is now added to the options list.

For more information on monitor mode, see sk112572.

Mirror Port

All traffic that goes through one or more LAN ports of the appliance can be duplicated into one designated mirror port. For example, all traffic that passes through LAN1 and LAN2 is duplicated into LAN5, which is configured as the mirror port. You can only configure one mirror port at a time.

Use Case – If an external device is connected to the mirror port, it receives all traffic that goes through LAN1/LAN2 of the appliance. This enables you to monitor traffic that goes through the appliance from the external device.

The mirror port is the opposite of the existing monitor port feature, in which the traffic from an external source such as a network switch or router goes into the (WAN) port of the appliance, so the appliance can inspect the traffic going through the external source.

To configure a mirror port:

To configure a mirror port:

  1. In the Device > Local Network page, select the designated mirror port and unassign it:

    1. Click Edit.

      The Edit LAN window opens.

    2. In the Configuration tab, in the Assigned to field, select Unassigned.

    3. Click Apply

  2. In the Local Network table, select the LAN port you want to duplicate and click Edit.

    The Edit LAN window opens.

  3. In the Port Mirroring section of the Advanced tab, select the checkbox Assign to mirror port.

  4. In the Port field, select the mirror port from the drop-down menu.

  5. Click Apply.

  6. In the Local Network table, right-click the mirror port and click Enable.

  7. Repeat for each LAN port you want to duplicate in the mirror port.

Physical Interfaces

To edit a physical interface:

Configure the fields in the tabs. Note that for the DMZ there is an additional tab Access Policy:

The 'Configuration' tab

Assigned to - Select the required option:

  • Unassigned - The physical interface is not part of any network and cannot be used.

  • One of the existing configured switches or bridges

  • Separate network - When selecting a separate network configure this information:

    • IP address

    • Subnet mask

    • DHCP Server settings

      Select one of the options:

      Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specific IP addresses by defining network objects in the Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device.

      Relay - Enter the DHCP server IP address.

      Disabled

Note - When you create a switch, you cannot remove the first interface inside unless you delete the switch.

The 'Advanced' tab

The options that are shown vary based on interface type and status. Configure the options that are applicable:

  • Description - Enter an optional description. The description is shown in the local network table next to the name.

  • MTU size - Configure the Maximum Transmission Unit size for an interface. Note that in the Quantum Spark Appliance, the value is global for all physical LAN and DMZ ports.

  • Disable auto negotiation - Select this option to configure manually the link speed of the interface.

  • Override default MAC address – This option is for local networks except those on VLANs and wireless networks. Use this option to override the default MAC address of the network's interface:

    • When the device has two separate local networks connected to the same external switch.

    • If the ISP is searching for the gateway MAC address to accept the connection. If you upgrade your new gateway, the ISP may block it because the new gateway has a different MAC address. In this case, you can override the gateway MAC address with the old one.

    Best Practice - This is a rare configuration. Do not select this option unless you are sure you need it.

  • Exclude from DNS proxy – Select this checkbox for any network that you do not want exposed to internal domains. In guest VAPs (wireless network for guests), this is selected by default.

The 'Access Policy' tab (only for DMZ)

These options create automatic rules that are shown in the Access Policy > Firewall Policy page.

  • Allow access from this network to local networks

  • Log traffic from this network to local networks

Bridge

Note - Bridge interface supports only two subordinate interfaces.

If you add three or more subordinate interface, then the appliance drops the traffic through this Bridge interface with the message "IP routing failed (bridge routing failure)".

To create a bridged internet connection in a cluster, see the Configuring Internet Connectivity page > Bridged Internet Connection in a Cluster section.

To create/edit a bridge, configure the fields in the tabs:

The 'Configuration' tab

  • In Bridge Configuration, select the networks you want to be part of the bridge.

  • Enable Spanning Tree Protocol - When Spanning Tree Protocol (STP - IEEE 802.1d) is enabled, each bridge communicates with its neighboring bridges or switches to discover how they are interconnected. This information is then used to eliminate loops, while providing optimal routing of packets. STP also uses this information to provide fault tolerance, by re-computing the topology in the event that a bridge or a network link fails.

  • Enter a Name for the bridge interface. Note that you can only enter "brN" where N is a number between 0 and 9. For example, br2.

  • Select the IP address and Subnet mask.

  • Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface. Hotspot configuration is defined in the Device > Hotspot page.

  • DHCP Server

    Select one of the options:

    • Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specific IP addresses by defining network objects in the Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device.

    • Relay - Enter the DHCP server IP address.

    • Disabled

The 'Advanced' tab

  • MTU size - Configure the Maximum Transmission Unit size for an interface.

  • Disable auto negotiation - Select this option to configure manually the link speed of the interface.

  • Override default MAC address – This option is for local networks except those on VLANs and wireless networks. Use this option to override the default MAC address used by the network's interface, when the device has two separate local networks connected to the same external switch.

    Best Practice - This is a rare configuration. Do not select this option unless you are sure you need it.

  • Exclude from DNS proxy – Select this checkbox for any network that you do not want exposed to internal domains. In guest VAPs (wireless network for guests), this is selected by default.

To configure Advanced IPv6 settings:

  1. Configure the Router Advisement fields.

  2. Under Prefix Delegation, select the checkbox for Enable prefix delegation and enter the relevant information.

To configure Application Control and URL Filtering on an appliance in the Bridge Mode that uses Tag-based VLANs

Background:

Logical topology before the change:

[SWITCH] --- VLAN Trunk --- (LAN) [Appliance in Bridge Mode] (WAN) --- VLAN Trunk --- [ROUTER]

Example physical topology after the change (configuring an interface with a dummy IP address):

Configuration steps:

  1. Disconnect a cable from one of the available physical interfaces on the appliance (in our example, LAN4).

  2. Assign a random IP address to this interface.

    This can by a dummy IP address that must not be used in your internal networks.

  3. Go to the Device > Advanced Settings page. See Advanced Settings.

  4. Search for UserCheck Portal - Redirect Address

  5. Select this attribute.

  6. Click Edit.

  7. Enter the same IP address you assigned to the dedicated interface (in our example, LAN4).

  8. Click Apply

VLANs

To create/edit a tag based VLAN:

You can create a new VLAN only if you have at least one physical interface that is not part of an existing network (switch or bridge).

Note - For more information on the maximum number of VLANs that you can configure for each appliance, refer to sk113247

Configure the fields in the tabs:

The 'Configuration' tab

  • VLAN ID - Enter a number that is the virtual identifier.

  • Assigned to - Select the physical interface where the new virtual network is created.

  • IP address

  • Subnet mask

  • Cluster status - Starting from R81.10.15, you can configure the cluster status of the LAN connection, including the ClusterClosed Two Quantum Spark Appliances connected to each other for High Availability. IP and Peer IP. If the interface is assigned to a separate network, you can select between Monitored or non-HA. Select High Availability to add the interface to a cluster.

  • Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface.

    You define the Hotspot configuration in the Device > Hotspot page.

  • DHCP Server settings

    Select one of the options:

    • Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specific IP addresses by defining network objects in the Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device.

    • Relay - Enter the DHCP server IP address.

    • Disabled

Alias IP

With an alias IP, you can associate more than one IP address to a network interface.

  • A single network device can have multiple connections to a network.

  • A specific port is used by more than one network.

All devices are on the same network, even though they show different IPs. For example, LAN4 and LAN4:1 have different IP addresses, but are on the same network. LAN4:1 is the alias.

You can also have an alias IP for VLAN and a switch.

Use Case

A customer is migrating his device to a new subnet, but wants the host to still be able to "approach" a resource such as a printer on his old subnet during the transition period.

To configure an alias IP for WAN:

  1. Go to the Internet Connection page.

  2. Configure another static IP type connection on the same Internet port.

    Example: WAN and WAN:1 (WAN:1 is the alias IP).

To create an alias IP (LAN):

  1. On the Local Network page, select New > Alias.

    The New Alias window opens.

  2. Select the Local network port.

  3. Add IP address

  4. Add subnet mask

  5. Click Apply

You can configure a total of 64 aliases for a LAN connection.

Alias IP is not supported on a bridge interface. You can only assign an alias IP to a separate network LAN or switch. If you remove or disable the LAN, any assigned alias IPs are also removed.

When you edit an alias IP, you cannot change the port or the ID.

To create an Alias IP on WAN, you must create an additional internet connection on the same WAN interface. See Configuring Internet Connectivity.

VPN Tunnel (VTI)

To create/edit a VPN Tunnel (VTI):

A Virtual Tunnel Interface (VTI) is a virtual interface on a Security GatewayClosed A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. that is related to an existing, Route Based VPN tunnel. The Route Based VPN tunnel works as a point-to-point connection between two peer Security Gateways in a VPN community. Each peer Security Gateway has one VTI that connects to the tunnel.

The VPN tunnel and its properties are defined by the VPN community that contains the two gateways. You must define the VPN community and its member Security Gateways before you can create a VTI.

Configure the fields in the tabs:

The 'Configuration' tab

  • VPN Tunnel ID - A number identifying the VTI.

  • Peer - The name of the remote VPN site. See Configuring VPN Sites.

    The VPN tunnel interface can be numbered or unnumbered. Select the applicable option:

  • Numbered VTI - You configure a local and remote IP address for a numbered VTI:

    • Local IPv4 address - The IP address to be used for the local point-to-point virtual interface.

    • Remote IP address - The IP address to be used at the peer gateway's point-to-point virtual interface.

  • Unnumbered VTI - When the VTI is unnumbered, it is not necessary to configure local and remote IP addresses. You define a local interface to use as the source IP address for outbound traffic.

    • Internet connection - Select from the list.

    • Local bridge interface - Select the local interface from the list.

Virtual Access Point (VAP)

To create/edit a Virtual Access Point (VAP):

See the Device > Wireless Network help page.

The 'DHCP/SLAAC Settings' tab

Note - In IPv4-only mode, this tab is called DHCPv4 Settings.

The values for the DHCP options configured on this tab will be distributed by the DHCP server to the DHCP clients.

DNS Server Settings (For DHCPv6/SLAAC)

Select one of these options:

  • Auto - Use the DNS configuration of the device.

  • Use the following IP addresses - Enter the first, second and third DNS servers.

DNS Server Settings (For DHCPv4)

These settings are effective only if a DHCPv4 server is enabled.

Select one of these options:

  • Auto - This uses the DNS configuration of the appliance as configured in the Device > DNS and Device > Internet pages.

  • Use the following IP addresses - Enter the IP addresses for the First DNS server, Second DNS server, and Third DNS server.

Default Gateway

Select one of these options:

  • Use this gateway's IP address as the default gateway

  • Use the following IP address - Enter an IP address to use as the default gateway.

WINS

Select one of these options:

  • Use the WINS servers configured for the internet connection

  • Use the following WINS servers - Enter the IP addresses of the First and Second WINS servers.

Lease section

Lease time - Configure the timeout in hours for a single device to retain a dynamically acquired IP address.

Other Settings

You can optionally configure these additional parameters so they will be distributed to DHCP clients:

  • Time servers

  • Call manager

  • TFTP server

  • TFTP boot file

  • X Window display manager

  • Avaya IP phone

  • Nortel IP phone

  • Thomson IP phone

Custom Options

Lets you add custom options that are not listed above. For each custom option, you must configure the name, tag, type, and data fields.

GRE

Starting from R81.10.07, you can create a GRE (Generic Routing Encapsulation) tunnel as a LAN interface connected with a remote peer and route all traffic between the two sites.

Each site has its own routable physical IP address. The GRE tunnel is created on top of a physical network interface, and each tunnel side is assigned a tunnel IP address which is different than the physical IP address.

Notes:

  • Because the GRE tunnel connects two remote sites over the internet, Quantum Spark appliances must support such interfaces.

  • Do not create the GRE tunnel over LAN.

  • Starting from R81.10.15, GRE interfaces support OSPF.

To create a GRE tunnel:

  1. In the WebUI, go to DeviceLocal Network and click New.

  2. From the drop-down menu, select GRE.

    The New GRE window opens in the Configuration tab.

  3. Enter the applicable information for the GRE Settings fields:

  4. Click Apply.

BOND

Bonding, also known as Link Aggregation, is a process that joins two or more interfaces together. It improves performance and redundancy by increasing the network throughput and bandwidth. Like other other LAN interfaces, the LANBOND can be an unassigned network or a cluster interface. Starting from R81.10.15, you can configure High Availability settings from this page.

Use Case

Link Aggregation binds two or more physical ports together to form a LAG (Link Aggregation GroupClosed A collection of objects, such as user accounts, with shared attributes.) bundle that results in higher bandwidth and link redundancy. If one link in the group fails, traffic is automatically routed through the remaining interfaces.

To create a BOND (LAN):

  1. In the Local Network page, click New and select BOND (Link Aggregation).

    The New BOND window opens.

  2. In the Configuration tab, under BOND configuration, select a minimum of 2 LANs that are unassigned and disabled.

    Note - You cannot select LAN interfaces that have a VLAN assigned to them.

  3. Select the Operation mode:

    • 802.3ad – Dynamically uses Active interfaces to share the traffic load.

      Traffic is assigned to Active interfaces based on the transmit hash policy (Layer2 or Layer3+4).

    • Round Robin – Selects the Active interface sequentially.

    • XOR – All interfaces are Active for Load Sharing.

      Traffic is assigned to Active interfaces based on the transmit hash policy (Layer2 or Layer3+4).

    • High Availability (Active/Backup) – Provides redundancy when there is an interface or link failure.

      If you select this mode, you must select a Master - the primary/default port for the traffic.

  4. Under Interface Configuration:

    1. Select the interface.

    2. Enter the Local IPv4 address and Subnet mask.

    3. Cluster status - Starting from R81.10.15, you can configure the cluster status of the LAN connection, including the Cluster IP and Peer IP. If the interface is assigned to a separate network, you can select between Monitored or non-HA. Select High Availability to add the interface to a cluster.

    4. Select if you want to Use hotspot when connecting to network.

  5. For DHCPv4, click Enabled.

  6. In the Advanced tab, select the Mii interval.

    This interval is the frequency (in milliseconds) that the system polls the Media Independent Interface (MII), the standard interface for fast Ethernet) to get status.

  7. If you selected 802.3ad or XOR as your operation mode, select the Hash policy from the dropdown menu (Layer2 or Layer3+4).

  8. Click Apply

To create a WAN BOND, see Configuring Internet Connectivity.