Configure an External Interface

An external interface is used to connect your Firebox or XTM device to a network outside your organization. Often, an external interface is the method by which you connect your device to the Internet.

When you configure an external interface, you must choose the method your Internet service provider (ISP) uses to give you an IPv4 address for your device. If you do not know the method, get this information from your ISP or network administrator. In addition to the IPv4 address, you can optionally configure an IPv6 address.

For information about methods used to set and distribute IP addresses, see Static and Dynamic IP Addresses.

For information about 31-bit and 32-bit subnet masks, see Use a 31-bit or 32-bit Subnet Mask.

For information about IPv6 configuration, see Enable IPv6 for an External Interface.

For information about how to configure a Firebox T10-D to connect to a DSL line, see About DSL on the Firebox T10-D.

Use a Static IPv4 Address

If your device has a static IP address, you configure a static IP address and default gateway. In most cases, the default gateway is on the same subnet as the IP address.

In Fireware XTM v11.9.1 or higher, you can configure a physical external interface with a default gateway on a different subnet than the interface IP address.

In Fireware XTM Web UI:

  1. Select Network > Interfaces.
    The Network Interfaces page appears.
  2. Select an external interface. Click Edit.
  3. From the Configuration Mode drop-down list, select Static IP.
  4. In the IP address text box, type the IP address of the interface.
  5. In the Gateway text box, type the IP address of the default gateway.

Screen shot of the Interface Configuration - External page with a static IP address

  1. Click Save.

Use PPPoE Authentication to Get an IPv4 Address

If your ISP uses PPPoE, you must configure PPPoE authentication before your device can send traffic through the external interface. Fireware XTM supports the PAP, EAP, CHAP, MS-CHAP and MS-CHAPv2 PPPoE authentication methods.

  1. Select Network > Interfaces.
    The Network Interfaces page appears.
  2. Select an external interface. Click Configure.
  3. From the Configuration Mode drop-down list, select PPPoE.
  4. Select an option:
  5. If you selected Use this IP Address, in the adjacent text box, type the IP address.
  6. Type the User Name and Password. Type the password again.
    ISPs use the email address format for user names, such as [email protected]

Screen shot of the Interface Configuration - External page, PPPoE Settings section

  1. To configure additional PPPoE options, click Advanced.
    Your ISP can tell you if you must change the timeout or LCP values.

Screen shot of the PPPoE Advanced Settings page

  1. Select when the device connects to the PPPoE server:
  2. If your ISP requires the Host-Uniq tag for PPPoE discovery packets, select the Use Host-Uniq tag in PPPoE discovery packets check box.
  3. To use LCP echo requests to detect lost PPPoE connections, select the Use LCP echo requests to detect lost PPPoE connections check box.
    This is enabled by default.
  4. In the LCP echo failure in text box, type or select the number of failed LCP echo requests allowed before the PPPoE connection is considered inactive and closed.
  5. In the LCP echo timeout in text box, type or select the length of time, in seconds, that the response to each echo timeout must be received.
  6. To configure the Firebox or XTM device to automatically restart the PPPoE connection on a daily or weekly basis, select the Schedule time for auto restart check box.
  7. From the Schedule time for auto restart drop-down list, select Daily to restart the connection at the same time each day, or select a day of the week to restart weekly. Select the hour and minute of the day (in 24 hour time format) to automatically restart the PPPoE connection.
  8. In the Service Name text box, type a PPPoE service name.
    This is either an ISP name or a class of service that is configured on the PPPoE server. Usually, this option is not used. Select it only if there is more than one access concentrator, or you know that you must use a specified service name.
  9. In the Access Concentrator Name text box, type the name of a PPPoE access concentrator, also known as a PPPoE server. Usually, this option is not used. Select it only if you know there is more than one access concentrator.
  10. In the Authentication retries text box, type or select the number of times that the Firebox or XTM device can try to make a connection.
    The default value is three (3) connection attempts.
  11. In the Authentication timeout text box, type a value for the amount of time between connection attempt retries.
    The default value is 20 seconds between each connection attempt.
  12. If you configure the PPPoE settings to use a static IP address, you can select one of three options for PPPoE IP address negotiation:
  13. To configure the Firebox or XTM device to negotiate DNS with the PPPoE server, select the Negotiate DNS with PPPoE Server check box. This is enabled by default. Clear this check box if you do not want the device to negotiate DNS.
  14. Click OK.

Use DHCP to Get an IPv4 IP Address

  1. From the Configuration Mode drop-down list, select DHCP.
  2. If your ISP or external DHCP server requires a client identifier, such as a MAC address, in the Client text box, type this information.
  3. To specify a host name for identification, in the Host Name text box, type the host name.

Screen shot of the External interface configuration, DHCP options

  1. To manually assign an IP address to the external interface, in the Use this IP address text box, type the IP address.
    To configure the external interface to obtain an IP address automatically, clear the Use this IP address text box.
  2. To change the lease time, select the Lease Time check box and specify the value in the adjacent text box and drop-down list.
    IP addresses assigned by a DHCP server have an eight hour lease by default; each address is valid for eight hours.

You can optionally enable the DHCP Force Renew option. This feature enables the Firebox or XTM device to handle a FORCERENEW message from your ISP or DHCP provider. The DHCP server sends a FORCERENEW message to request that the DHCP client renew the leased IP address sooner than it ordinarily would, based on the configured lease time. If your ISP or DHCP provider requests that you enable this option, they might also specify a shared key. The shared key is optional, but recommended. If you specify a shared key, it must match the shared key in the FORCERENEW message. If you do not specify a shared key, the Firebox or XTM device responds to any FORCERENEW message, whether a shared key is present or not.

The DHCP Force Renew option is supported in Fireware XTM v11.8.1 and higher.

To enable the Firebox or XTM device to manage a DHCP FORCERENEW request:

  1. Select the DHCP Force Renew check box.
  2. (Optional) In the Shared Key text box, type the shared key.
    The shared key is encrypted and stored in the configuration file.

About DNS Servers

Your Firebox or XTM device must use a DNS server to resolve host names to IP addresses. If you configure the external interface to use a static IP address, you must also specify the IP address of at least one DNS server so that your device can resolve DNS queries.

For information about how to specify a DNS server, see Add WINS and DNS Server Addresses.

If you configure the external interface to use PPPoE or DHCP to get a dynamic IP address, your device automatically receives a DNS server IP address when it receives the interface IP address.

You can see the DNS servers your device uses on the Dashboard > Interfaces page. For more information, see Interfaces.

See Also

Common Interface Settings

About Advanced Interface Settings

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base