Configure physical interfaces
You can configure the general, IPv4, IPv6, and advanced settings of a physical interface.
General settings
Configure the following settings:
- Name: Enter a name. You can change this later. You can use a maximum of 58 characters.
- Hardware: A physical interface, for example, Port1, PortA, or eth0. You can't change this.
-
Breakout mode: Select a breakout configuration to break out high speed interfaces into two or more interfaces of lower speeds. See Breakout interfaces.
Restriction
This option appears only on XGS Series appliances that support breakout interfaces.
-
Network zone: Zone assigned to the interface.
IPv4 configuration
You can configure a physical interface with a static IP address, PPPoE username and password, or automatically with DHCP.
- Select IPv4 configuration.
-
Select the IP assignment method from the following options:
- Static: Assign a static IP address and gateway to the interface.
- PPPoE: Use the username and password provided by your ISP to obtain an IP address from a PPPoE server.
-
DHCP: Obtain an IP address from a DHCP server.
Note
The firewall doesn't support Differentiated Services Field Codepoints (DSCP) for system-generated DHCP and ARP traffic, such as when the firewall is a DHCP client, relay agent, or server.
Restriction
You can't change the IP assignment from static to PPPoE or DHCP on any interface with VLAN configured.
You can specify a static IP address for the interface.
- Enter an IPv4 address for the interface.
- Change the subnet mask if you want.
- Enter a Gateway name.
- Enter a Gateway IP address.
You can use the username and password provided by your ISP to obtain an IP address from a PPPoE server.
- Enter an IPv4 address for the interface.
- Change the subnet mask if you want.
-
Enter the Preferred IP address for the PPPoE connection. Many internet service providers assign a static IP address to PPPoE connections. The firewall allows you to bind the static IP address to the PPPoE connection.
Note
An address other than the preferred IP address may be assigned to the PPPoE connection, depending on the PPPoE server configuration.
-
Enter a Gateway name.
- Enter a Gateway IP address.
- Enter the PPPoE account username.
- Enter the PPPoE account password.
- Enter the Access concentrator/service name. The firewall initiates only those sessions with the access concentrator that can provide the specified service.
-
Select LCP echo interval only if you want to change the default value, then enter the value. The firewall sends echo requests at these intervals to check whether the link is live.
Note
Clearing the checkbox doesn't turn off LCP. It only resets the interval to the default value (20 seconds).
-
Select LCP failure only if you want to change the default number of echo requests, then enter the value. If the firewall doesn't receive a reply from the client after these requests, it disconnects the PPPoE connection.
Note
Clearing the checkbox doesn't turn off LCP. It only resets the number of echo request attempts to the default value (3).
-
Enter the Schedule time for reconnect. The address assigned to a PPPoE connection, whether dynamic or static (preferred), can have a predefined validity period. Once the validity expires, the PPPoE connection is terminated and reconnected. To prevent reconnection during working hours, turn on the PPPoE reconnect schedule.
When it reconnects, a dynamic address rather than the preferred IP address may be assigned to the PPPoE connection.
-
Under DSL settings, turn on VDSL if you want the firewall to automatically create a VLAN for the PPPoE connection and then specify a VLAN tag for it. If you turn it on, you don't need to manually create a VLAN on Interface > Add interface > Add VLAN.
You can obtain an IP address from a DHCP server.
- Enter an IPv4 address for the interface.
- Change the subnet mask if you want.
- Enter a Gateway name.
- Enter a Gateway IP address.
IPv6 configuration
To configure a WAN interface, you can use Static or DHCP. To configure an internal interface, you can use Static, DHCP, or Delegated methods.
Selecting DHCP for a WAN interface and Delegated for an internal interface allows you to configure IPv6 prefix delegation to simplify IPv6 addressing in your environment. See DHCP prefix delegation.
- Select IPv6 configuration.
-
Select the IP assignment method from the following options:
- Static: Assign a static IP address to any interface.
- DHCP: Obtain an IPv6 address from a DHCPv6 server or through prefix delegation from the ISP.
-
Delegated: Assign an IPv6 address to internal interfaces using the prefix delegated by the ISP.
Note
The firewall doesn't support DSCP for system-generated DHCP and ARP traffic, such as when the firewall is a DHCP client, relay agent, or server.
Restriction
You can't change the IP assignment from static to DHCP or Delegated on any interface with VLAN configured.
You can specify a static IP address for the WAN and internal interfaces.
- Enter an IPv6 address for the interface.
- Change the prefix if you want.
- Enter a Gateway name.
- Enter a Gateway IP address.
You can obtain an IP address and other parameters from a DHCPv6 server. You can obtain an IPv6 prefix from the ISP and delegate it to internal interfaces using DHCP prefix delegation.
-
Select the Mode to configure IPv6 address using stateful or stateless methods.
- Auto: An IPv6 address is automatically assigned to the interface according to the configuration method you use. The method can be DHCP only or Stateless.
-
Manual: Select an option from the following based on your method (DHCPv6 or SLAAC) of assigning an IPv6 address to the interface:
- With DHCP only, the firewall assigns the address and other parameters provided by the DHCPv6 server to the interface.
- With Stateless, the firewall assigns the interface address using Stateless Address Auto-Configuration (SLAAC) according to the Managed (M) Address Configuration and Other (O) Configuration flags advertised in the Router Advertisement (RA) message. You can select Accept other configuration from DHCP to configure other parameters using the DHCPv6 server. See Add an IPv6 router advertisement.
-
Turn on DHCP prefix delegation if you want an IPv6 prefix delegated by your ISP. See DHCP prefix delegation.
- Turn on Preferred delegated prefix if you want to specify the preferred prefix you want. The ISP may delegate the preferred prefix or a different one. You must enter a prefix length of 48, 52, 56, or 60. The prefix address is optional.
-
Turn on DHCP rapid commit if you want to use a two-message exchange (solicit and reply) rather than a four-message exchange (solicit, advertise, request, and reply). This option provides faster configuration.
Note
You must turn on rapid commit in the DHCPv6 server.
-
Enter a Gateway name.
-
Enter a Gateway IP address.
Restriction
You can't set the Gateway IP address if you've set Mode to Manual and Stateless.
Use the WAN interface's delegated IPv6 prefix to automatically assign IPv6 addresses to internal interfaces and endpoint devices.
- Select the Upstream interface from the drop-down menu. This is the WAN interface you've configured with DHCP prefix delegation. The firewall automatically delegates an IPv6 address and prefix that appears in the IPv6 address field.
- Turn on Router advertisement if you want the firewall to act as the RA server. See IPv6 router advertisement.
Advanced settings
Port settings
Configure the following settings:
-
Link mode: Interface speed and duplex for synchronization. Select a mode from the list.
The options shown depend on the appliance model.
Note
Speed mismatch between the device and third-party routers and switches may result in errors or collisions, disconnection, increased latency, or slow performance.
-
Auto-negotiation for media type: Auto-negotiation of speed and duplex. Turn it on or off.
-
Forward Error Correction (FEC): FEC mode of the interface. Select a mode from the list.
The options shown depend on the appliance model.
To use the recommended settings, do as follows:
- Click Show recommended settings.
- Click Load recommended configuration.
How to configure 25, 50, and 100 Gbps ports
To configure 25, 50, and 100 Gbps ports, do as follows:
- Make sure the cable is connected to the port properly.
- On the web admin console, go to Network > Interfaces.
- Edit the interface, and in Advanced settings, under Port settings, select the link speed in Link mode.
-
Click Save.
This sets the link mode in the hardware.
-
Edit the interface again, and in Advanced settings, under Port settings, click Show recommended settings.
- Click Load recommended configuration.
- Click Save.
For all other ports, including 40 Gbps ports, you can see the recommended settings immediately after you select the link mode.
Interface settings (IPv4 and IPv6 settings)
Configure the following settings:
-
MTU: MTU (Maximum Transmission Unit) value, in bytes. It's the largest packet size that a network can transmit. Packets larger than the specified value are divided into smaller packets before they're sent.
Note
If you change the MTU value of XFRM interfaces, make sure it's at least 113 bytes lower than the listening interface's MTU size.
Example:
Listening interface MTU: 1400
XFRM MTU: 1287 or lower
This prevents packet drop during FastPath offload if SSL/TLS decryption applies to the IPsec VPN traffic.
-
Override MSS: MSS (Maximum Segment Size), in bytes. It's the amount of data that can be transmitted in a TCP packet.
- Use default MAC address: Use the default MAC address of the interface. By default, the first port included as a member port becomes the default MAC address.
- Override default MAC address: Override the default MAC address of the interface and enter a new address. On factory reset, the address is reset to the default MAC address.
Interface settings (Only IPv6 settings)
Configure the following settings:
- DAD attempts: Number of consecutive Neighbor Solicitation messages sent while performing Duplicate Address Detection (DAD) on a tentative address.
- Allowed RA servers: List of MAC or IPv6 addresses of Router Advertisement (RA) servers from which you want the interface to accept the stateless configuration.