Interface Name

Comment

Enter an optional description for the interface.

Netflow Profile

If you want to export unidirectional IP traffic that traverses an ingress interface to a NetFlow server, select the server profile or click

Netflow Profile

to define a new profile (see Device > Server Profiles > NetFlow). Select

None

to remove the current NetFlow server assignment from the interface.

VLAN

Virtual Router

Assign a virtual router to the interface, or click

Virtual Router

to define a new one (see Network > Virtual Routers). Select

None

to remove the current virtual router assignment from the interface.

Virtual System

If the firewall supports multiple virtual systems and that capability is enabled, select a virtual system (vsys) for the interface or click

Virtual System

to define a new vsys.

Security Zone

Select a security zone for the interface, or click

Zone

to define a new zone. Select

None

to remove the current zone assignment from the interface.

Management Profile

MTU

Enter the maximum transmission unit (MTU) in bytes for packets sent on this interface (range is 576-9,192; default is 1,500). If machines on either side of the firewall perform Path MTU Discovery (PMTUD) and the interface receives a packet exceeding the MTU, the firewall returns an ICMP fragmentation needed message to the source indicating the packet is too large.

Adjust TCP MSS

Select to adjust the maximum segment size (MSS) to accommodate bytes for any headers within the interface MTU byte size. The MTU byte size minus the MSS Adjustment Size equals the MSS byte size, which varies by IP protocol:

Use these settings to address the case where a

tunnel

through the network requires a smaller MSS. If a packet has more bytes than the MSS without fragmentation, this setting enables the adjustment.

Encapsulation adds length to headers, so it helps to configure the MSS adjustment size to allow bytes for such things as an MPLS header or tunneled traffic that has a VLAN tag.

IP Address

MAC Address

Interface

IPv6 Address

MAC Address

Enable NDP Proxy

Address

Add

one or more IPv6 addresses, IP ranges, IPv6 subnets, or address objects for which the firewall will act as NDP Proxy. Ideally, one of these addresses is the same address as that of the source translation in NPTv6. The order of addresses does not matter.

If the address is a subnetwork, the firewall will send an ND response for all addresses in the subnet, so we recommend you also add the firewall’s IPv6 neighbors and then click

Negate

to instruct the firewall not to respond to these IP addresses.

Negate

Select

Negate

for an address to prevent NDP proxy for that address. You can negate a subset of the specified IP address range or IP subnet.

Type

IP

IPv4 address

Type

=

DHCP

Enable

Automatically create default route pointing to default gateway provided by server

Select to automatically create a default route that points to the default gateway that the DHCP server provides.

Default Route Metric

For the route between the firewall and DHCP server, optionally enter a route metric (priority level) to associate with the default route and to use for path selection (range is 1-65,535; there is no default). The priority level increases as the numeric value decreases.

Show DHCP Client Runtime Info

Select to display all settings received from the DHCP server, including DHCP lease status, dynamic IP address assignment, subnet mask, gateway, and server settings (DNS, NTP, domain, WINS, NIS, POP3, and SMTP).

For an IPv6 address

Enable IPv6 on the interface

Interface ID

Enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the

Use interface ID as host portion

option when adding an address, the firewall uses the interface ID as the host portion of that address.

Address

Enable Duplication Address Detection

DAD Attempts

Specify the number of DAD attempts within the neighbor solicitation interval (

NS Interval

) before the attempt to identify neighbors fails (range is 1-10; default is 1).

Reachable Time

Specify the length of time, in seconds, that a neighbor remains reachable after a successful query and response (range is 1-36,000; default is 30).

NS Interval (neighbor solicitation interval)

Specify the number of seconds for DAD attempts before failure is indicated (range is 1-10; default is 1).

Enable NDP Monitoring

Select to enable Neighbor Discovery Protocol monitoring. When enabled, you can select the NDP ( in Features column) and view information such as the IPv6 address of a neighbor the firewall has discovered, the corresponding MAC address and User-ID (on a best-case basis).

Enable Router Advertisement

Min Interval (sec)

Specify the minimum interval, in seconds, between RAs that the firewall will send (range is 3-1,350; default is 200). The firewall will send RAs at random intervals between the minimum and maximum values you configure.

Max Interval (sec)

Specify the maximum interval, in seconds, between RAs that the firewall will send (range is 4-1,800; default is 600). The firewall will send RAs at random intervals between the minimum and maximum values you configure.

Hop Limit

Specify the hop limit to apply to clients for outgoing packets (range is 1-255; default is 64). Enter

0

for no hop limit.

Link MTU

Specify the link maximum transmission unit (MTU) to apply to clients. Select

unspecified

for no link MTU (range is 1280-9192; default is unspecified).

Reachable Time (ms)

Specify the reachable time, in milliseconds, that the client will use to assume a neighbor is reachable after receiving a reachability confirmation message. Select

unspecified

for no reachable time value (range is 0-3,600,000; default is unspecified).

Retrans Time (ms)

Specify the retransmission timer that determines how long the client will wait (in milliseconds) before retransmitting neighbor solicitation messages. Select

unspecified

for no retransmission time (range is 0-4,294,967,295; default is unspecified).

Router Lifetime (sec)

Specify how long, in seconds, the client will use the firewall as the default gateway (range is 0-9,000; default is 1,800). Zero specifies that the firewall is not the default gateway. When the lifetime expires, the client removes the firewall entry from its Default Router List and uses another router as the default gateway.

Router Preference

If the network segment has multiple IPv6 routers, the client uses this field to select a preferred router. Select whether the RA advertises the firewall router as having a

High

,

Medium

(default), or

Low

priority relative to other routers on the segment.

Managed Configuration

Select to indicate to the client that addresses are available via DHCPv6.

Other Configuration

Select to indicate to the client that other address information (for example, DNS-related settings) is available via DHCPv6.

Consistency Check

Include DNS information in Router Advertisement

Server

Add

one or more recursive DNS (RDNS) server addresses for the firewall to send in NDP router advertisements from this IPv6 VLAN interface. RDNS servers send a series of DNS lookup requests to root DNS servers and authoritative DNS servers to ultimately provide an IP address to the DNS client.

You can configure a maximum of eight RDNS servers that the firewall sends— in the order listed from top to bottom—in an NDP router advertisement to the recipient, which then uses them in the same order. Select a server and

Move Up

or

Move Down

to change the order of the servers or

Delete

a server from the list when you no longer need it.

Lifetime

Enter the maximum number of seconds after the IPv6 DNS client receives the router advertisement that it can use the RDNS servers to resolve domain names (range is the value of Max Interval (sec) to twice the Max Interval; default is 1,200).

Suffix

Add

and configure one or more domain names (suffixes) for the DNS search list (DNSSL). The maximum suffix length is 255 bytes.

A DNS search list is a list of domain suffixes that a DNS client router appends (one at a time) to an unqualified domain name before it enters the name into a DNS query, thereby using a fully qualified domain name in the DNS query. For example, if a DNS client tries to submit a DNS query for the name “quality” without a suffix, the router appends a period and the first DNS suffix from the DNS search list to the name and then transmits the DNS query. If the first DNS suffix on the list is “company.com”, the resulting DNS query from the router is for the fully qualified domain name “quality.company.com”.

If the DNS query fails, the router appends the second DNS suffix from the list to the unqualified name and transmits a new DNS query. The router tries DNS suffixes until a DNS lookup is successful (ignores the remaining suffixes) or until the router has tried all of suffixes on the list.

Configure the firewall with the suffixes that you want to provide to the DNS client router in a Neighbor Discovery DNSSL option; the DNS client receiving the DNSSL option uses the suffixes in its unqualified DNS queries.

You can configure a maximum of eight domain names (suffixes) for a DNS search list that the firewall sends—in order listed from top to bottom—in an NDP router advertisement to the recipient, which uses those addresses in the same order. Select a suffix and

Move Up

or

Move Down

to change the order of the suffixes or

Delete

a suffix from the list when you no longer need it.