Interfaces
The firewall is shipped with physical and virtual interfaces. A physical interface, for example, Port1, PortA, or eth0. A virtual interface is a logical representation of an interface that lets you extend your network using existing ports. You can bind multiple IP addresses to a single physical interface using an alias. You can also create and configure interfaces that support Remote Ethernet Devices.
- To create a virtual interface or alias, click Add interface and select a type.
-
To turn an interface on or off, click the Menu button and select on or off.
If you turn an interface off:
- The interface doesn't lose its configuration, and you can see its status on the Interfaces page.
- Site-to-site IPsec tunnel initiators immediately disconnect the tunnel.
- Site-to-site IPsec tunnel responders and remote access connections disconnect the tunnel when inactivity or Dead Peer Detection (DPD) time-out occurs.
You can't turn off Alias and XFRM interfaces. Alias interfaces are turned off when you turn off their physical interface. You can deactivate XFRM interfaces on Site-to-site > IPsec.
-
To update an interface, click the Menu button and select Edit interface.
- To delete a virtual interface, click the Menu button and select Delete interface.
Note
- The speeds of the ports on other network devices must match the speeds of the ports you're connecting to on the firewall. For example, you can't connect a 25 Gbps port on another device to a 40 Gbps port on the firewall without appropriate conversion using breakout cables. You can use breakout cables to split the 40 Gbps and 100 Gbps ports on the firewall into 2 or 4 ports to match the capabilities of the connected devices. See Breakout interfaces and Sophos and third-party transceivers/SFPs compatibility list.
- Configuring more than one WAN interface in the same subnet results in ARP issues, making the gateways unreachable. For example, if your ISP offers public IP addresses belonging to the same subnet, you need to use alias or LAG interfaces.
Updating and deleting interfaces
Updating interfaces may affect dependent configurations, including the interface zone binding, DNS, gateway, SD-WAN routes and profiles, interface-based hosts, VLAN interfaces, and dynamic DNS.
Deleting an interface also removes all dependent configurations, including interface zone binding, DHCP server or relay, interface-based firewall rule, ARP (static and proxy), protected servers, protected server-based firewall rules, interface-based hosts, references from host groups, and unicast and multicast routes.
Deleting a virtual interface deletes the firewall rules defined for it.
Note
After updating or deleting interfaces, your network connections may become temporarily unresponsive or unavailable.
Interface usage
See Object usage.
Deleting an interface will delete all the firewall rules it’s part of, even if other interfaces are present in the firewall rule configuration.
Virtual interfaces
Name | Description |
---|---|
Bridge | Bridges enable you to configure transparent subnet gateways. |
LAG | Link aggregation groups combine physical links into a logical link that connects the firewall to another network device. |
RED | A Remote Ethernet Device (RED) provides a secure tunnel between a remote site and Sophos Firewall. The RED establishes a VPN connection between itself and the firewall. The VPN connection ensures that any device connected to the RED is seen as part of the network. |
VLAN | Virtual LANs are isolated broadcast domains within a network. You can create VLANs on physical interfaces, such as ports (for example Port1, PortA, eth0), RED interfaces, or virtual interfaces, such as bridge or LAG. |
xfrm | XFRM interfaces, also called virtual tunnel interfaces (VTIs), are used for route-based VPN tunnels. An XFRM interface is automatically created when you create an IPsec connection of the type Tunnel interface. |
Other interfaces
Name | Description |
---|---|
Wireless network | A wireless network provides common connection settings for wireless clients. These settings include SSID, security mode, and the method for handling client traffic. When you create a network as a separate zone, the firewall creates a corresponding VXLAN tunnel. |
Cellular WAN | Cellular WAN networks provide secure wireless broadband service to mobile devices. When you enable cellular WAN, the firewall creates the WWAN1 interface. |
Test access point (TAP) | By deploying the firewall in discover mode, you can monitor all the network traffic without making any changes to the network schema. The firewall doesn't drop or reject any traffic in this mode since it's only used for monitoring. You can turn on discover mode and configure a port through the console. The firewall lists the corresponding interface as "Discover, physical (TAP)". |
Interface status messages
Name | Description |
---|---|
Not configured | Interface is currently not bound to any zone. |
Connected | Interface is configured and connected. |
Connecting | A new IP address is being leased. |
Disconnected | IP address has been released. |
Disconnecting | IP address is being released. |
Unplugged | No physical connection. WiFi interface: No access point is connected, or an access point is connected, but no wireless network is assigned. |
Not available | FleXi Ports have been configured and the FleXi Port module has been removed. |
More resources