In the Priority field, enter a number ranging from 0–65535.
This value is used in the policy based routing configuration. The priority is used to determine how you want to route the traffic across multiple egress interfaces. For more information, see Configure Policy-Based Routing Policy.
Step 11
Click the
IPv4 tab. To set the IP address, use one of the
following options from the
IP
Type drop-down list.
High Availability, clustering, and loopback interfaces
only support static IP address configuration; DHCP and PPPoE are not
supported.
Use Static IP—Enter the IP address and subnet mask. For point-to-point connections, you can specify a 31-bit subnet mask (255.255.255.254 or /31). In this case, no IP addresses are reserved for the network or broadcast addresses. You cannot set the standby IP address in this case. For High Availability, you can only use a static IP address. Set the standby IP address on the Devices > Device Management page, click High Availability in the Monitored Interfaces area. If you do not set the standby IP address, the active unit cannot monitor the standby interface using network tests; it can only track the link state.
Use
DHCP—Configure the following optional parameters:
Obtain default route using
DHCP—Obtains the default route from the DHCP server.
DHCP route
metric—Assigns an administrative distance to the learned route,
between 1 and 255. The default administrative distance for the learned routes
is 1.
Use PPPoE—If the
interface is connected to a DSL, cable modem, or other connection to your ISP,
and your ISP uses PPPoE to provide your IP address, configure the following
parameters:
VPDN Group
Name—Specify a group name of your choice to represent this
connection.
PPPoE User
Name—Specify the username provided by your ISP.
PPPoE Password/Confirm
Password—Specify and confirm the password provided by your ISP.
PPP
Authentication—Choose
PAP,
CHAP, or
MSCHAP.
PAP passes
a cleartext username and password during authentication and is not secure. With
CHAP, the client returns the encrypted [challenge plus password], with a
cleartext username in response to the server challenge. CHAP is more secure
than PAP, but it does not encrypt data. MSCHAP is similar to CHAP but is more
secure because the server stores and compares only encrypted passwords rather
than cleartext passwords as in CHAP. MSCHAP also generates a key for data
encryption by MPPE.
PPPoE route
metric—Assign an administrative distance to the learned route.
Valid values are from 1 to 255. By default, the administrative distance for the
learned routes is 1.
Enable Route Settings—To manually configure the PPPoE IP address, check this box and then enter the IP Address.
If you select the Enable Route Settings check box and leave the IP Address blank, the ip address pppoe setroute command is applied as shown in this example:
interface GigabitEthernet0/2
nameif inside2_pppoe
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
pppoe client vpdn group test
pppoe client route distance 10
ip address pppoe setroute
Store Username and Password
in Flash—Stores the username and password in flash memory.
The
Firewall Threat Defense
device stores the username and password in a special location of NVRAM.
(Optional) Set the duplex and speed by clicking Hardware Configuration > Speed.
Duplex—Choose Full or Half. SFP interfaces only support Full duplex.
Speed—Choose a speed (varies depending on the model). (Secure Firewall 3100/4200 only) Choose Detect SFP to detect the speed of the installed SFP module and use the appropriate speed. Duplex is always Full, and auto-negotiation is always enabled. This option is useful if you later change the network module to a different model, and want the speed to update automatically. For Secure Firewall 1250, you can configure a maximum interface speed of 2.5gbps.
Note
You cannot modify the speed of a HA or a Cluster Control Link interface.
Auto-negotiation—Set the interface to negotiate the speed, link
status, and flow control.
Note
If a peer switch connecting to the port over a 50G cable does not support auto-negotiation, ensure to disable auto-negotiation on the switch and the Threat Defense interface as well. For example, N9K-C93400LD-H1 does not support auto-negotiation on a 50G cable. Hence, you must disable the default auto-negotiation on the platform and the switch for the port to be connected.
Forward Error Correction Mode—(Secure Firewall 3100/4200 only) For 25 Gbps and
higher interfaces, enable Forward Error Correction (FEC). For an
EtherChannel member interface, you must configure FEC before you add
it to the EtherChannel. The setting chosen when you use
Auto depends on the transceiver type and
whether the interface is fixed (built-in) or on a network
module.
Default FEC for Auto Setting
Transceiver Type
Fixed Port Default FEC (Ethernet 1/9 through
1/16)
Network Module Default FEC
25G-SR
Clause 74
FC-FEC
Clause 108 RS-FEC
25G-LR
Clause 74
FC-FEC
Clause 108 RS-FEC
10/25G-CSR
Clause 74
FC-FEC
Clause 74 FC-FEC
25G-AOCxM
Clause 74 FC-FEC
Clause 74 FC-FEC
25G-CU2.5/3M
Auto-Negotiate
Auto-Negotiate
25G-CU4/5M
Auto-Negotiate
Auto-Negotiate
25/50/100G
Clause 91 RS-FEC
Clause 91 RS-FEC
Step 15
(Optional) Enable Firewall Management
Center manager access on a data interface on the Manager Access page.
You can enable manager access from a data interface when you first setup the
Firewall Threat Defense. If you want to enable or disable manager access after you added the Firewall Threat Defense to the Firewall Management
Center, see:
You cannot enable manager access unless you first initiate the
manager interface migration from Management to a data interface.
After you initiate the migration, you can enable manager access
on the Manager
Access
page and save the configuration successfully.
If you want to change the manager access interface from one data interface to
another data interface, you must disable manager access on the original data
interface, but do not disable the interface itself yet; the original data
interface must be used to perform the deployment. If you want to use the
same IP address on the new manager access interface, you can delete or
change the IP configuration on the original interface; this change should
not affect the deployment. If you use a different IP address for the new
interface, then also change the device IP address shown in the Firewall Management
Center; see Update the Hostname or IP Address in the Firewall Management Center. Be sure to also update
related configuration to use the new interface such as static routes, DDNS,
and DNS settings.
Manager access from a data interface has the following limitations:
You can only enable manager access on a physical, data interface.
You cannot use a subinterface or EtherChannel, nor can you create a
subinterface on the manager access interface.
You can also use the Firewall Management
Center to enable manager access on a single secondary interface for
redundancy.
This interface cannot be management-only.
Routed firewall mode only, using a routed interface.
PPPoE is not supported. If your ISP requires PPPoE, you will have to put a
router with PPPoE support between the Firewall Threat Defense and the WAN modem.
The interface must be in the global VRF only.
SSH is not enabled by default for data interfaces, so you will have to enable
SSH later using the Firewall Management
Center. Because the Management interface gateway will be changed to be the data
interfaces, you also cannot SSH to the Management interface from a remote
network unless you add a static route for the Management interface using the
configure network static-routes command.
For Firewall Threat Defense
Virtual on Amazon Web Services, a console port is not available, so you
should maintain your SSH access to the Management interface: add a
static route for Management before you continue with your configuration.
Alternatively, be sure to finish all CLI configuration (including the
configure manager add command) before
you configure the data interface for manager access and you are
disconnected.
Clustering is not supported. You must use the Management interface in this
case.
Manager Access
Check Enable management on this
interface for the manager to use
this data interface for management instead of the dedicated
Management interface.
(Optional) In the Allowed Management Networks
box, add the networks from which you want to allow manager access.
By default, any networks are allowed.
Step 16
Click
OK.
Step 17
Click
Save.
You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.
