Routing, Stealth, HA, and Administration Interfaces

Network interfaces on a Screen may be configured as routing, stealth, HA, or administration interfaces; or you can disable them.

A disabled interface will not filter any traffic. If it is on a Screen in stealth mode, it passes no traffic. If it is on a Screen in routing mode, the traffic between the disabled interface is not filtered, but the traffic that leaves the Screen using an "active" interface (an interface that has not been disabled) will be filtered. All active interfaces describe what to do with packets that arrive on that interface that do not match a packet-filtering rule. The fields are LOG, ICMP, and SNMP. If no values are set in these fields, no action is taken.

The values for LOG are NONE (which is the same as not present), SUMMARY, and DETAIL.

The values for ICMP are NONE (which is the same as not present), NET_UNREACHABLE, HOST_UNREACHABLE, PORT_UNREACHABLE, NET_FORBBIDEN, and HOST_FORBIDDEN.

If SNMP is present, an SNMP packet will be sent; if it is not present no SNMP packet will be sent.

You can, as an option, associate all interfaces with a specific screen object. In this case, the value of the interface is only used with the screen object with which it is associated. If the Screen is part of a centrally managed group of Screens this association is necessary to distinguish which interface definition belongs to which Screen.

You can include an optional description of all interfaces in the COMMENT field. This cannot be longer than 256 characters

Routing Interfaces

Routing interfaces have an IP address and route packets using the standard IP routing mechanisms in the operating system. Each routing interface is connected to a different IP network just like a standard IP router. In terms of network placement, a Screen with routing interfaces replaces a router. A routing interface can receive remote Administration Station traffic.

Connections to and from proxies can only occur over routing interfaces. Thus, to run proxies or if you want to install additional network services on the Screen, you must configure the Screen with routing interfaces.

In summary, use routing interfaces to replace an existing router, to control packet flow between different IP networks, or if you want to install proxies or other network services on the Screen.

Stealth Interfaces

Stealth interfaces have no IP address. All stealth interfaces on a Screen are part of the same IP network. Thus, a Screen with stealth interfaces partitions one IP network and controls packet flow between those partitions.

Although it operates much like an IP bridge or switch, the Screen with stealth interfaces does not implement the bridging algorithms that detect loops. Make sure no loops exist in your network configuration where a packet could be sent out from one stealth interface and be received on another.

Stealth interfaces also provide a higher degree of security than routing interfaces because they are separate from the standard IP mechanisms used by the operating system. Thus, packets flowing through stealth interfaces cannot inadvertently leak into other network applications running on the system, thereby compromising the security of the firewall.

A stealth interface can define a set of five routers by IP address, using the ROUTER #.#.#.# keyword.

In summary, use stealth interfaces when you want to partition an existing IP network and control packet flow between those partitions without having to modify the configuration of your existing network.

Administration Interfaces

Because stealth interfaces have no IP address, they cannot provide the IP address needed for administration traffic. You must, therefore, configure a Screen that has only stealth interfaces with an additional administration interface. This interface is a special case of a routing interface configured to only pass administration traffic for the Screen.

An administration interface is not required for a Screen with routing interfaces.

Mixing Routing and Stealth Interfaces on a Single Screen

You can configure a Screen with a mixture of routing and stealth interfaces subject to the following restrictions:

1. Packets do not flow between the routing and stealth interfaces. You can model a Screen with a mixture of routing and stealth interfaces as though it were two completely separate Screens: one configured with the stealth interfaces and the other configured with routing interfaces. Packets received on a stealth interface are only sent out to another stealth interface. Packets received on a routing interface are only send out to another routing interface.

2. Any packet affected by NAT or encryption rules must only pass through the Screen once.

HA Interface

If the Screen is part of an HA cluster, it must have a single HA interface. You administer the HA cluster over this interface.