Tackling Task 1.2 – Determine and assess appropriate interface types for various environments
Under the PCNSE, there is a task to understand and select the correct interface for the right situation. For the most part, an engineer will most likely settle on the Layer 3 interface and the familiarity of IPv4 or IPv6.
But under certain circumstances, an engineer will find benefits in utilizing other interface types.
And for the PCNSE certification, knowing, understanding, and configuring these interface types is important.
All of these interfaces can be configured under Network > Interfaces.
There are 10 interface types you should know about. You may be tested about the following interfaces:
A Layer 2 interface provides switching between two or more networks by connecting devices to a Layer 2 segment. The firewall will forward frames to the connected port.
You must configure a virtual router to be used with a Layer 3 interface. It’s the most widely used interface type, supporting both IPv5 and IPv6. You must configure an IP address, associate the interface with a zone, and attach a virtual router.
Multiple options exist for a Layer 3 interface such as:
- Maximum segment size (MSS) adjustment
- Maximum transmission unit (MTU) adjustment
- Binding of firewall services
- Neighbor discovery for IPv6
- Manual MAC address assignment
- Dynamic DNS support
- Link negotiation settings
In a transparent firewall deployment you’ll utilize the Virtual Wire interface to bind two firewall ports together. This makes integrating a firewall into a topology simple, where the firewall doesn’t have to perform any switching or routing.
And in this deployment method, the firewall will support blocking or allowing of traffic based on VLAN tags, support security policy rules, and other firewall features.
A Virtual Wire interface can be connected to a Layer 2 or Layer 3 device or host. But don’t use Virtual Wire if you need switching, VPN tunnels, or routing. And do not use an Interface Management Profile with it.
Need a way to access data flowing across a network? The Tap interface can passively monitor traffic flow from a switch port analyzer or mirror port. It allows a firewall to detect traffic and threats without any enforcement.
A virtual interface, configured off of a parent interface, can be deployed into separate zones. A subinterface can be of Layer 2 or Layer 3 configuration. I use subinterfaces in deployments where multiple VLANs are riding on a single physical interface.
Used in a VPN tunnel configuration, there is a unique logical tunnel interface. It must belong to a security zone to apply any policies and it must be assigned to a virtual router.
If a Tunnel interface is assigned to a separate zone from the physical interface, security policies must be configured for traffic to flow between the VPN zone and the trust zone.
Although, a Tunnel interface does not require an IP address. Only if tunnel monitoring or dynamic routing is needed across the tunnel.
An Aggregate Ethernet (AE) group uses 802.1AX link aggregation to combine multiple Ethernet interfaces into a single virtual interface.
It will increase bandwidth by load balancing traffic across the combined interfaces and provide redundancy. You must configure the interfaces before the AE interface group. And while the hardware media can differ, the bandwidth and interface type must be the same.
It is possible to add 8 or 16 AE interface groups depending on the firewall model and each group can have up to 8 interfaces.
A loopback interface exists to connect virtual routers in the firewall. But it can be used for other networking engineering and implementation purposes such as being a destination for DNS sinkholes, GlobalProtect service interfaces, routing identification, and more.
A Decrypt mirror interface is a special configuration supporting routing of decrypted traffic copies to an external interface for data loss prevention purposes.
The Decrypt interface is used with the Decryption Port Mirror feature.
A VLAN interface can add one or more Layer 2 Ethernet ports. It can also provide routing in a Layer 3 network.