Configure Firebox VLANs

Applies To: Cloud-managed Fireboxes This topic applies to Fireboxes you configure in WatchGuard Cloud.

For a cloud-managed Firebox, you can configure any network as a virtual local area network (VLAN). To configure a VLAN, you must enable the VLAN option for an existing external, internal, or guest network.

VLANs can include:

• One or more tagged interfaces
• One or more untagged interfaces
• Both tagged and untagged interfaces
• Interfaces that are members of VLANs on both internal and external networks

VLANs have these restrictions:

• Interfaces that are members of multiple tagged VLANs can be members of only one untagged VLAN.
• VLANS cannot include bridged or standalone interfaces.

VLANs and Traffic Inspection

Intra-VLAN traffic is traffic from a VLAN that is destined for the same VLAN. Intra-VLAN inspection is enabled by default on external interfaces. The Firebox applies policies to traffic that passes through the firewall between hosts that are on the same VLAN. The VLAN traffic must go through the Firebox for firewall policies to apply.

For example, you can bridge a VLAN between interfaces and create policies that apply to traffic between the interfaces. The Firebox inspects traffic that travels from one interface on the VLAN to another interface on the same VLAN. This is also known as a bridged WAN configuration.

To deploy settings that support a bridged WAN configuration, your device must run Fireware v12.8 or higher. If your device runs a lower firmware version, before you can deploy these changes you must do one of the following: Upgrade the device firmware or change any external VLAN so it is tagged, appears only on one interface, and is the only network on that interface.

Firewall policies do not apply to intra-VLAN traffic for internal VLAN interfaces.

You cannot configure intra-VLAN traffic settings in WatchGuard Cloud.

Enable a VLAN

In the network settings, you can enable the VLAN option and specify the VLAN ID. For each interface associated with the network you can also specify whether VLAN traffic on the interface is tagged or untagged.

To configure a network as a VLAN, from WatchGuard Cloud:

1. Select Configure > Devices.
2. Select the cloud-managed Firebox.
3. Click Device Configuration.
4. Click the Networks tile.
   The Networks configuration page opens.
5. Click the tile of the network to edit.
   The network configuration page opens.

6. Select the Enable VLAN check box.
   A confirmation message appears.

Confirmation message for an internal network

Confirmation message for an external network

7. To confirm the change, click Enable VLAN.
   For an internal network, all interfaces associated with the network change to untagged VLAN interfaces. For an external network, all interfaces associated with the network change to tagged VLAN interfaces.
8. In the VLAN ID text box, type the VLAN ID for this network.
9. Configure interface settings for the VLAN as described in the next section.
10. To save configuration changes to the cloud, click Save.

Configure Interface Settings for a VLAN

After you enable the VLAN option for a network, interfaces associated with the network are automatically configured as follows:

• Internal networks — Interfaces associated with the network are automatically configured as untagged.
• External networks — Interfaces associated with the network are automatically configured as tagged.

For each interface associated with the network, you can change the tagging option to Tagged VLAN or Untagged VLAN. For each available interface that is not associated with the network, you can select a tagging option, which associates the interface with the network.

The interface icon color indicates interface status in relation to this network:

	Interface is associated with another network
	Interface is associated with this network
	Interface is available to associate with this network

To configure the VLAN settings for an interface, from WatchGuard Cloud:

1. Edit the VLAN network.
2. To see VLANs associated with an interface, in the interface tile, point to View Networks.

3. To change the interface setting, from the interface options () menu, select:

• Untagged VLAN — Interface handles untagged VLAN traffic
• Tagged VLAN — Interface handles tagged VLAN traffic
• No Traffic — Interface is not associated with this network

The options menu shows only options you can select, and does not include the currently configured option.

4. To save configuration changes to the cloud, click Save.

Configure Multiple VLANs on the Same Interface

Each interface can handle traffic for multiple VLANs. After you configure a network to send VLAN traffic to one interface, you can also configure other networks to send VLAN traffic to the same interface. Only one network can send untagged VLAN traffic to each interface.

To configure an interface to handle traffic for multiple VLANs:

1. Enable the VLAN option in each network and assign unique VLAN IDs.
2. In each network, configure the interface to handle tagged or untagged VLAN traffic.

After you configure a VLAN to send untagged VLAN traffic to an interface, the Untagged VLAN option is not available for that interface in other VLANs.

After you configure an interface to handle tagged VLAN traffic for multiple networks, View Networks shows the Networks and VLAN IDs for tagged VLAN traffic for each VLAN on that interface.

After you configure an interface to handle both tagged and untagged VLAN traffic, View Networks shows the networks and VLAN IDs for tagged VLAN traffic, and the network name for untagged VLAN traffic.

Related Topics

About Firebox Networking Settings

Configure a Firebox External Network

Configure a Firebox Internal or Guest Network