Interfaces allow inbound and outbound traffic to flow to security zones. An interface must be bound to a security zone so that traffic can flow into and from the security zone. Furthermore, for the Layer 3 security zone, an IP address should be configured for the interface, and the corresponding policy rules should also be configured to allow traffic transmission between different security zones. Multiple interfaces can be bound to one security zone, but one interface cannot be bound to multiple security zones.
The security devices support various types of interfaces which are basically divided into physical and logical interfaces based on the nature.
- Physical Interface: Each Ethernet interface on devices represents a physical interface. The name of a physical interface, consisting of media type, slot number and location parameter, is pre-defined, like ethernet2/1 or ethernet0/2.
- Logical Interface: Include sub-interface, VSwitch interface,
VLAN interface,loopback interface, tunnel interface, aggregate interface, redundant interface, PPPoE interface and Virtual Forward interface.
Interfaces can also be divided into Layer 2 interface and Layer 3 interface based on their security zones.
- Layer 2 Interface: Any interface in Layer 2 zone
- Layer 3 Interface: Any interface in Layer 3 zone. Only Layer 3 interfaces can operate in NAT/routing mode.
Different types of interfaces provide different functions, as described in the table below.
|Sub-interface||The name of an sub-interface is an extension to the name of its original interface, like ethernet0/2.1. System supports the following types of sub-interfaces: Ethernet sub-interface, aggregate sub-interface and redundant sub-interface. An interface and its sub-interfaces can be bound to one single security zone, or to different zones.|
|VSwitch interface||A Layer 3 interface that represents the collection of all the interfaces of a VSwitch. The VSwtich interface is virtually the upstream interface of a switch that implements packet forwarding between Layer 2 and Layer 3.|
|VLAN interface||A Layer 3 interface that represents the collection of all the Ethernet interfaces within a VLAN. If only one Ethernet interface is in UP state, the VLAN interface will be UP as well. The VLAN interface is the outbound communication interface for all the devices within a VLAN. Typically its IP address is the gateway's address of the network device within the VLAN.|
|Loopback interface||A logical interface. If only the security device with loopback interface configured is in the working state, the interface will be in the working state as well. Therefore, the loopback interface is featured with stability.|
|Tunnel interface||Only a Layer 3 interface, the tunnel interface acts as an ingress for VPN communications. Traffic flows into VPN tunnel through this interface.|
|Aggregate interface||Collection of physical interfaces that include 1 to 16 physical interfaces. These interfaces averagely share the traffic load to the IP address of the aggregate interface, in an attempt to increase the available bandwidth for a single IP address. If one of the physical interfaces within an aggregate interface fails, other physical interfaces can still process the traffic normally. The only effect is the available bandwidth will decrease.|
|Redundant interface||The redundant interface allows backup between two physical interfaces. One physical interface, acting as the primary interface, processes the inbound traffic, and another interface, acting as the alternative interface, will take over the processing if the primary interface fails.|
|PPPoE interface||A logical interface based on Ethernet interface that allows connection to PPPoE servers over PPPoE protocol.|
|Virtual Forward interface||In HA environment, the Virtual Forward interface is HA group's interface designed for traffic transmission.|