: Layer 3 Interface
Focus
Focus

Layer 3 Interface

Table of Contents
End-of-Life (EoL)

Layer 3 Interface

Configure an Ethernet Layer 3 interface to which you can route traffic.
  • Network > Interfaces > Ethernet
Configure an Ethernet Layer 3 interface to which you can route traffic.
Layer 3 Interface Settings
Description
Interface Name
The read-only Interface Name is the name of the physical interface you selected.
Comment
Enter a user-friendly description for the interface.
Interface Type
Select Layer3.
NetFlow Profile
If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select an existing NetFlow profile or create a new NetFlow Profile (see Device > Server Profiles > NetFlow). Select None to remove the current NetFlow server assignment from the interface.
Config Tab
Virtual Router
Assign a virtual router to the interface or define a new Virtual Router (see Network > Virtual Routers). Select None to remove the current virtual router assignment from the interface.
Virtual System
If the firewall supports multiple virtual systems and that capability is enabled, select an existing virtual system (vsys) for the interface or define a new Virtual System.
Security Zone
Select an existing security zone for the interface or define a new Zone. Select None to remove the current zone assignment from the interface.
IPv4 Tab
Enable SD-WAN
Select Enable SD-WAN to enable SD-WAN functionality for the Ethernet interface.
IPv4 Type = Static
IP
Add and perform one of the following steps to specify a static IP address and network mask for the interface.
  • Use Classless Inter-Domain Routing (CIDR) notation: ip_address/mask (for example, 192.168.2.0/24).
  • Select an existing address object of type IP netmask.
  • Create an Address object of type IP netmask.
You can enter multiple IP addresses for the interface. The forwarding information base (FIB) your firewall uses determines the maximum number of IP addresses.
Delete an IP address when you no longer need it.
Next Hop Gateway
If you did Enable SD-WAN, enter the IPv4 address of the Next Hop gateway.
IPv4 Type = PPPoE, General Tab
Enable
Select Enable to activate the interface for Point-to-Point Protocol over Ethernet (PPPoE) termination. The interface is a PPPoE termination point to support connectivity in a Digital Subscriber Line (DSL) environment where there is a DSL modem but no other PPPoE device to terminate the connection.
Username
Enter the username your ISP provided for the point-to-point connection.
Password and Confirm Password
Enter the password and confirm the password.
Show PPPoE Client Runtime Info
View information about the PPPoE interface.
IPv4 Type = PPPoE, Advanced Tab
Authentication
Select an authentication method:
  • None (default)— There is no authentication on the PPPoE interface.
  • CHAP—Firewall uses Challenge Handshake Authentication Protocol—RFC-1994—on the PPPoE interface.
  • PAP—Firewall uses Password Authentication Protocol (PAP) on the PPPoE interface. PAP is less secure than CHAP; PAP sends usernames and passwords in plain text.
  • auto—Firewall negotiates the authentication method (CHAP or PAP) with the PPPoE server.
Static Address
Request a desired IPv4 address from the PPPoE server; the PPPoE server may assign that address or another address.
automatically create default route pointing to peer
Select this option to automatically create a default route that points to the default gateway that the PPPoE server provides.
Default Route Metric
Enter the default route metric (priority level) for the PPPoE connection (default is 10). A route with a lower number has higher priority during route selection. For example, the firewall uses a route with a metric of 10 before a route with a metric of 100.
Access Concentrator
If your ISP provided the name of an Access Concentrator, enter that name. The firewall will connect to this Access Concentrator on the IPS end. This is a string value of 0 to 255 characters.
Service
The firewall (PPPoE client) can provide the desired service request to the PPPoE server. This is a string value of 0 to 255 characters.
Passive
The firewall (PPPOE client) waits for the PPPoE server to initiate a connection. If this is not enabled, the firewall initiates a connection.
IPv4 Tab, Type = DHCP Client
Enable
Enable the interface to act as a Dynamic Host Configuration Protocol (DHCP) client and receive a dynamically assigned IP address.
Firewalls that are in a high availability (HA) active/active configuration don’t support DHCP Client.
Automatically create default route pointing to default gateway provided by server
Instruct the firewall to create a static route to a default gateway. The default gateway is useful when clients are trying to access many destinations that don’t need to have routes maintained in a routing table on the firewall.
Send Hostname
Select this option to assign a hostname to the DHCP client interface and send that hostname (Option 12) to a DHCP server, which can register the hostname with the DNS server. The DNS server can then automatically manage hostname-to-dynamic IP address resolutions. External hosts can identify the interface by its hostname. The default value indicates system-hostname, which is the firewall hostname that you set in DeviceSetupManagementGeneral Settings. Alternatively, enter a hostname for the interface, which can be a maximum of 64 characters, including uppercase and lowercase letters, numbers, period, hyphen, and underscore.
Default Route Metric
Enter a default route metric (priority level) for the route between the firewall and the DHCP server (range is 1 to 65,535; there is no default metric). A route with a lower number has higher priority during route selection. For example, the firewall uses a route with a metric of 10 before a route with a metric of 100.
Show DHCP Client Runtime Info
View all settings the client inherited from its DHCP server, including DHCP lease status, dynamic IP address assignment, subnet mask, gateway, and server settings (DNS, NTP, domain, WINS, NIS, POP3, and SMTP).
IPv6 Tab
Enable IPv6 on the interface
Select to enable IPv6 addressing on the interface.
Interface ID
Enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you Use interface ID as host portion when adding an address, the firewall uses the interface ID as the host portion of that address.
Address
Add an IPv6 address and prefix length (for example, 2001:400:f00::1/64). Alternatively, select an existing IPv6 address object or create a new IPv6 address object.
Enable address on interface
Enable the IPv6 address on the interface.
Use interface ID as host portion
Select to use the Interface ID as the host portion of the IPv6 address.
Anycast
Select to include routing through the nearest node.
Send Router Advertisement
Select to enable router advertisement (RA) for this IP address. (You must also enable the global Enable Router Advertisement option on the interface.) For details about RA, see Enable Router Advertisement in this table. The following fields apply only if you Enable Router Advertisement:
  • Valid Lifetime—Length of time, in seconds, that the firewall considers the address valid. The valid lifetime must equal or exceed the Preferred Lifetime. The default is 2,592,000.
  • Preferred Lifetime—Length of time, in seconds, that the valid address is preferred, which means the firewall can use it to send and receive traffic. After the preferred lifetime expires, the firewall cannot use the address to establish new connections, but any existing connections are valid until the Valid Lifetime expires. The default is 604,800.
  • On-link—Select if systems that have addresses within the prefix are reachable without a router.
  • Autonomous—Select if systems can independently create an IP address by combining the advertised prefix with an interface ID.
IPv6 Tab, Address Resolution Tab
Enable Duplicate Address Detection
Select to enable duplicate address detection (DAD), then configure the DAD Attempts, Reachable Time (sec), and NS Interval.
DAD Attempts
Specify the number of DAD attempts within the neighbor solicitation interval (NS Interval) before the attempt to identify neighbors fails (range is 1 to 10; default is 1).
Reachable Time (sec)
Specify the length of time, in seconds, that a neighbor remains reachable after a successful query and response (range is 1 to 36,000; default is 30).
NS Interval (sec)
Specify the number of seconds for DAD attempts before failure is indicated (range is 1 to 10; default is 1).
Enable NDP Monitoring
Select to enable Neighbor Discovery Protocol (NDP) monitoring. When enabled, you can select NDP (
in the Features column) to view information about a neighbor that the firewall discovered, such as the IPv6 address, the corresponding MAC address, and the User-ID (on a best-case basis).
IPv6 Tab, Router Advertisement Tab
Enable Router Advertisement
To provide Neighbor Discovery on IPv6 interfaces, select and configure the other fields in this section. IPv6 DNS clients that receive the router advertisement (RA) messages use this information.
RA enables the firewall to act as a default gateway for IPv6 hosts that are not statically configured and to provide the host with an IPv6 prefix for address configuration. You can use a separate DHCPv6 server in conjunction with this feature to provide DNS and other settings to clients.
This is a global setting for the interface. If you want to set RA options for individual IP addresses, Add and configure an IPv6 address in the IP address table. If you set RA options for any IPv6 address, you must Enable Router Advertisement for the interface.
Min Interval (sec)
Specify the minimum interval, in seconds, between RAs that the firewall will send (range is 3 to 1,350; default is 200). The firewall sends RAs at random intervals between the minimum and maximum values you configure.
Max Interval (sec)
Specify the maximum interval, in seconds, between RAs that the firewall will send (range is 4 to 1,800; default is 600). The firewall sends RAs at random intervals between the minimum and maximum values you configure.
Hop Limit
Specify the hop limit to apply to clients for outgoing packets (range is 1 to 255; default is 64) or select unspecified, which maps to a system default.
Link MTU
Specify the link maximum transmission unit (MTU) to apply to clients (range is 1,280 to 1,500) or default to unspecified, which maps to a system default.
Reachable Time (ms)
Specify the reachable time, in milliseconds, that the client will use to assume a neighbor is reachable after receiving a reachability confirmation message (range is 0 to 3,600,000) or default to unspecified, which maps to a system default.
Retrans Time (ms)
Specify the retransmission timer, in milliseconds, that determines how long the client will wait before retransmitting neighbor solicitation messages (range is 0 to 4,294,967,295) or default to unspecified, which maps to a system default.
Router Lifetime (sec)
Specify how long, in seconds, the client will use the firewall as the default gateway (range is 0 to 9,000; default is 1,800). Zero specifies that the firewall is not the default gateway. When the lifetime expires, the client removes the firewall entry from its Default Router List and uses another router as the default gateway.
Router Preference
If the network segment has multiple IPv6 routers, the client uses this field to select a preferred router. Select whether the RA advertises the firewall router as having a High, Medium (default), or Low priority relative to other routers on the segment.
Managed Configuration
Select to indicate to the client that addresses are available via DHCPv6.
Other Configuration
Select to indicate to the client that other address information (for example, DNS-related settings) is available via DHCPv6.
Consistency Check
Select if you want the firewall to verify that RAs sent from other routers are advertising consistent information on the link. The firewall will log any inconsistencies in a system log; the type is ipv6nd.
DNS Support Tab Available if you Enable Router Advertisement on the Router Advertisement Tab)
Include DNS information in Router Advertisement
Select for the firewall to send DNS information in NDP router advertisements from this IPv6 Ethernet interface. The other DNS Support fields (Server, Lifetime, Suffix, and Lifetime) are visible only after you select this option.
Server
Add one or more recursive DNS (RDNS) server addresses for the firewall to send in NDP router advertisements from this IPv6 Ethernet interface. RDNS servers send a series of DNS look up requests to root DNS and authoritative DNS servers to ultimately provide an IP address to the DNS client.
You can configure a maximum of eight RDNS Servers that the firewall sends—listed in order from top to bottom—in an NDP router advertisement to the recipient, which then uses them in that same order. Select a server and Move Up or Move Down to change the order of the servers or Delete a server from the list when you no longer need it.
Lifetime
Enter the maximum number of seconds after the IPv6 DNS client receives the router advertisement before the client can use an RDNS server to resolve domain names (range is Max Interval (sec) to twice Max Interval (sec); default is 1,200).
Suffix
Add one or more domain names (suffixes) for the DNS search list (DNSSL). Maximum length is 255 bytes.
A DNS search list is a list of domain suffixes that a DNS client router appends (one at a time) to an unqualified domain name before it enters the name into a DNS query, thereby using a fully qualified domain name in the query. For example, if a DNS client tries to submit a DNS query for the name “quality” without a suffix, the router appends a period and the first DNS suffix from the DNS search list to the name and transmits the DNS query. If the first DNS suffix on the list is “company.com”, the resulting query from the router is for the fully qualified domain name “quality.company.com”.
If the DNS query fails, the router appends the second DNS suffix from the list to the unqualified name and transmits a new DNS query. The router uses the DNS suffixes until a DNS lookup is successful (ignores the remaining suffixes) or until the router has tried all of suffixes on the list.
Configure the firewall with the suffixes that you want to provide to the DNS client router in a Neighbor Discovery DNSSL option; the DNS client receiving the DNSSL option uses the suffixes in its unqualified DNS queries.
You can configure a maximum of eight domain names (suffixes) for a DNS search list option that the firewall sends—listed in order from top to bottom—in an NDP router advertisement to the recipient, which uses them in the same order. Select a suffix and Move Up or Move Down to change the order or Delete a suffix when you no longer need it.
Lifetime
Enter the maximum number of seconds after the IPv6 DNS client receives the router advertisement that it can use a domain name (suffix) on the DNS search list (range is the value of Max Interval (sec) to twice Max Interval (sec); default is 1,200).
SD-WAN Tab
SD-WAN Interface Status
If you selected Enable SD-WAN on the IPv4 tab, the firewall indicates SD-WAN Interface Status: Enabled. If you did not Enable SD-WAN, the firewall indicates SD-WAN status is Disabled.
SD-WAN Interface Profile
Select an existing SD-WAN Interface Profile to apply to this Ethernet interface or add a new SD-WAN Interface Profile.
You must Enable SD-WAN for the interface before you can apply an SD-WAN Interface Profile.
Advanced Tab
Link Speed
Select the interface speed in Mbps (10, 100, or 1000) or select auto.
Link Duplex
Select whether the interface transmission mode is full-duplex, half-duplex, or auto-negotiated.
Link State
Select whether the interface status is enabled (up), disabled (down), or determined automatically (auto).
Advanced Tab. Other Info Tab
Management Profile
Select a Management profile that defines the protocols (for example, SSH, Telnet, and HTTP) you can use to manage the firewall over this interface. Select None to remove the current profile assignment from the interface.
MTU
Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576 to 9,192; default is 1,500). If machines on either side of the firewall perform Path MTU Discovery (PMTUD) and the interface receives a packet exceeding the MTU, the firewall returns an ICMP fragmentation needed message to the source indicating the packet is too large.
Adjust TCP MSS
Select to adjust the maximum segment size (MSS) to accommodate bytes for any headers within the interface MTU byte size. The MTU byte size minus the MSS Adjustment Size equals the MSS byte size, which varies by IP protocol:
  • IPv4 MSS Adjustment Size—Range is 40 to 300; default is 40.
  • IPv6 MSS Adjustment Size—Range is 60 to 300; default is 60.
Use these settings to address the case where a tunnel through the network requires a smaller MSS. If a packet has more bytes than the MSS without fragmentation, this setting enables the adjustment.
Encapsulation adds length to headers so it helps to configure the MSS adjustment size to allow bytes for such things as an MPLS header or tunneled traffic that has a VLAN tag.
Untagged Subinterface
Select this option if the corresponding subinterfaces for this interface aren’t tagged.
Advanced Tab, ARP Entries Tab
IP Address
MAC Address
To add one or more static Address Resolution Protocol (ARP) entries, Add an IP address and its associated hardware [media access control (MAC)] address. To delete an entry, select the entry and Delete it. Static ARP entries reduce ARP processing.
Advanced Tab, ND Entries Tab
IPv6 Address
MAC Address
To provide neighbor information for Neighbor Discovery Protocol (NDP), Add the IPv6 address and MAC address of the neighbor.
Advanced Tab, NDP Proxy Tab
Enable NDP Proxy
Enable Neighbor Discovery Protocol (NDP) proxy for the interface. The firewall will respond to ND packets requesting MAC addresses for IPv6 addresses in this list. In the ND response, the firewall sends its own MAC address for the interface so that the firewall will receive the packets meant for the addresses in the list.
It is recommended that you enable NDP proxy if you are using Network Prefix Translation IPv6 (NPTv6).
If you selected Enable NDP Proxy, you can filter numerous Address entries by entering a filter and then you Apply Filter (gray arrow).
Address
Add one or more IPv6 addresses, IP ranges, IPv6 subnets, or address objects for which the firewall will act as NDP proxy. Ideally, one of these addresses is the same address as that of the source translation in NPTv6. The order of addresses has no impact.
If the address is a subnetwork, the firewall will send an ND response for all addresses in the subnet, so we recommend you also add the IPv6 neighbors of the firewall and then Negate those neighbors to instruct the firewall not to respond to these IP addresses.
Negate
Negate an address to prevent NDP proxy for that address. You can negate a subset of the specified IP address range or IP subnet.
Advanced Tab, LLDP Tab
Enable LLDP
Enable Link Layer Discovery Protocol (LLDP) for the interface. LLDP functions at the link layer to discover neighboring devices and their capabilities by sending and receiving LLDP data units to and from neighbors.
LLDP Profile
Select an existing LLDP Profile or create a new LLDP Profile. The profile is the way in which you configure the LLDP mode, enable syslog and SNMP notifications, and configure the optional Type-Length-Values (TLVs) you want transmitted to LLDP peers.
Advanced Tab, DDNS Tab
Settings
Select Settings to make the DDNS fields available to configure.
Enable
Enable DDNS on the interface—you must initially enable DDNS to configure it. (If your DDNS configuration is unfinished, you can save it without enabling it so that you don’t lose your partial configuration.)
Update Interval (days)
Enter the interval, in days, between updates that the firewall sends to the DDNS server to update IP addresses mapped to FQDNs (range is 1 to 30; default is 1).
The firewall also updates DDNS upon receiving a new IP address for the interface from the DHCP server.
Certificate Profile
Create a Certificate Profile to verify the DDNS service. The DDNS service presents the firewall with a certificate signed by the certificate authority (CA).
Hostname
Enter a hostname for the interface, which is registered with the DDNS Server (for example, host123.domain123.com or host123). The firewall does not validate the hostname except to confirm that the syntax uses valid characters allowed by DNS for a domain name.
Vendor
Select the DDNS vendor (and version) that provides DDNS service to this interface:
  • DuckDNS v1
  • DynDNS v1
  • FreeDNS Afraid.org Dynamic API v1
  • Free DNS Afraid.org v1
  • No-IP v1
If you select an older version of a DDNS service and the firewall indicates that it will be phased out by a certain date, select the newer version, instead.
The Name and Value fields that follow the vendor name are vendor-specific. The read-only fields notify you of parameters that the firewall uses to connect to the DDNS service. Configure the other fields, such as a password that the DDNS service provides to you and a timeout that the firewall uses if it doesn’t receive a response from the DDNS server.
IPv4 Tab
Add the IPv4 addresses configured on the interface and then select them. You can select only as many IPv4 addresses as the DDNS provider allows. All selected IP addresses are registered with the DDNS provider (Vendor).
IPv6 Tab
Add the IPv6 addresses configured on the interface and then select them. You can select only as many IPv6 addresses as the DDNS provider allows. All selected IP addresses are registered with the DDNS provider (Vendor).
Show Runtime Info
Displays the DDNS registration: DDNS provider, resolved FQDN, and the mapped IP address(es) with an asterisk (*) indicating the primary IP address. Each DDNS provider has its own return codes to indicate the status of the hostname update, and a return date, for troubleshooting purposes.