The firewall is shipped with physical and virtual interfaces. A physical interface, for example, Port1, PortA, or eth0. A virtual interface is a logical representation of an interface that lets you extend your network using existing ports. You can bind multiple IP addresses to a single physical interface using an alias. You can also create and configure interfaces that support Remote Ethernet Devices.
- To create a virtual interface or alias, click Add interface and select a type.
If you turn an interface off:
- The interface doesn't lose its configuration, and you can see its status on the Interfaces page.
- Site-to-site IPsec tunnel initiators immediately disconnect the tunnel.
- Site-to-site IPsec tunnel responders and remote access connections disconnect the tunnel when inactivity or Dead Peer Detection (DPD) time-out occurs.
You can't turn off Alias and XFRM interfaces. Alias interfaces are turned off when you turn off their physical interface. You can deactivate XFRM interfaces on Site-to-site > IPsec.
- To delete a virtual interface, click Menu and select Delete interface.
Configuring more than one WAN interface in the same subnet results in ARP issues, making the gateways unreachable. For example, if your ISP offers public IP addresses belonging to the same subnet, you need to use alias or LAG interfaces.
Updating and deleting interfaces
Updating interfaces may affect dependent configurations, including interface zone binding, DNS, gateway, SD-WAN routes and profiles, interface-based hosts, VLAN interfaces, and dynamic DNS.
Deleting an interface will also remove all dependent configurations, including interface zone binding, DHCP server or relay, interface-based firewall rule, ARP (static and proxy), protected servers, protected server-based firewall rules, interface-based hosts, references from host groups, and unicast and multicast routes.
Deleting a virtual interface will delete the firewall rule defined for it.
After updating or deleting interfaces, your network connections may become temporarily unresponsive or unavailable.
|Bridges enable you to configure transparent subnet gateways.
|Link aggregation groups combine physical links into a logical link that connects the firewall to another network device.
|A Remote Ethernet Device (RED) provides a secure tunnel between a remote site and Sophos Firewall. The RED establishes a VPN connection between itself and the firewall. The VPN connection ensures that any device connected to the RED is seen as part of the network.
|Virtual LANs are isolated broadcast domains within a network. You can create VLANs on physical interfaces, such as ports (for example Port1, PortA, eth0), RED interfaces, or virtual interfaces, such as bridge or LAG.
|XFRM interfaces, also called virtual tunnel interfaces (VTIs), are used for route-based VPN tunnels. An XFRM interface is automatically created when you create an IPsec connection of the type Tunnel interface.
|A wireless network provides common connection settings for wireless clients. These settings include SSID, security mode, and the method for handling client traffic. When you create a network as a separate zone, the firewall creates a corresponding VXLAN tunnel.
|Cellular WAN networks provide secure wireless broadband service to mobile devices. When you enable cellular WAN, the firewall creates the WWAN1 interface.
|Test access point (TAP)
|By deploying the firewall in discover mode, you can monitor all the network traffic without making any changes to the network schema. You can turn on discover mode and configure a port through the console. The firewall lists the corresponding interface as “Discover, physical (TAP).”
Interface status messages
|Interface is currently not bound to any zone.
|Interface is configured and connected.
|A new IP address is being leased.
|IP address has been released.
|IP address is being released.
No physical connection.
WiFi interface: No access point is connected, or an access point is connected, but no wireless network is assigned.
|FleXi Ports have been configured and the FleXi Port module has been removed.