Configure an External Interface
An external interface is used to connect your Firebox or XTM device to a network outside your organization. Often, an external interface is the method by which you connect your device to the Internet.
When you configure an external interface, you must choose the method your Internet service provider (ISP) uses to give you an IPv4 address for your device. If you do not know the method, get this information from your ISP or network administrator. In addition to the IPv4 address, you can optionally configure an IPv6 address.
For information about methods used to set and distribute IP addresses, see Static and Dynamic IP Addresses.
For information about 31-bit and 32-bit subnet masks, see Use a 31-bit or 32-bit Subnet Mask.
For information about IPv6 configuration, see Enable IPv6 for an External Interface.
For information about how to configure a Firebox T10-D to connect to a DSL line, see About DSL on the Firebox T10-D.
Use a Static IPv4 Address
If your device has a static IP address, you configure a static IP address and default gateway. In most cases, the default gateway is on the same subnet as the IP address.
In Fireware XTM v11.9.1 or higher, you can configure a physical external interface with a default gateway on a different subnet than the interface IP address.
In Fireware XTM Web UI:
- Select Network > Interfaces.
The Network Interfaces page appears.
- Select an external interface. Click Edit.
- From the Configuration Mode drop-down list, select Static IP.
- In the IP address text box, type the IP address of the interface.
- In the Gateway text box, type the IP address of the default gateway.
- Click Save.
Use PPPoE Authentication to Get an IPv4 Address
If your ISP uses PPPoE, you must configure PPPoE authentication before your device can send traffic through the external interface. Fireware XTM supports the PAP, EAP, CHAP, MS-CHAP and MS-CHAPv2 PPPoE authentication methods.
- Select Network > Interfaces.
The Network Interfaces page appears.
- Select an external interface. Click Configure.
- From the Configuration Mode drop-down list, select PPPoE.
- Select an option:
- Obtain an IP address automatically
- Use this IP address (supplied by your Internet Service Provider)
- If you selected Use this IP Address, in the adjacent text box, type the IP address.
- Type the User Name and Password. Type the password again.
ISPs use the email address format for user names, such as [email protected]
- To configure additional PPPoE options, click Advanced.
Your ISP can tell you if you must change the timeout or LCP values.
- Select when the device connects to the PPPoE server:
- Always-on — The Firebox or XTM device keeps a constant PPPoE connection. It is not necessary for network traffic to go through the external interface.
If you select this option, type or select a value in the PPPoE initialization retry every text box to set the number of seconds that PPPoE tries to initialize before it times out.
- Dial-on-demand — The Firebox or XTM device connects to the PPPoE server only when it gets a request to send traffic to an IP address on the external interface.
If your ISP regularly resets the connection, select this option.
If you select this option, in the Idle timeout in text box, set the length of time a client can stay connected when no traffic is sent.
If you do not select this option, you must manually restart the device each time the connection resets.
- If your ISP requires the Host-Uniq tag for PPPoE discovery packets, select the Use Host-Uniq tag in PPPoE discovery packets check box.
- To use LCP echo requests to detect lost PPPoE connections, select the Use LCP echo requests to detect lost PPPoE connections check box.
This is enabled by default.
- In the LCP echo failure in text box, type or select the number of failed LCP echo requests allowed before the PPPoE connection is considered inactive and closed.
- In the LCP echo timeout in text box, type or select the length of time, in seconds, that the response to each echo timeout must be received.
- To configure the Firebox or XTM device to automatically restart the PPPoE connection on a daily or weekly basis, select the Schedule time for auto restart check box.
- From the Schedule time for auto restart drop-down list, select Daily to restart the connection at the same time each day, or select a day of the week to restart weekly. Select the hour and minute of the day (in 24 hour time format) to automatically restart the PPPoE connection.
- In the Service Name text box, type a PPPoE service name.
This is either an ISP name or a class of service that is configured on the PPPoE server. Usually, this option is not used. Select it only if there is more than one access concentrator, or you know that you must use a specified service name.
- In the Access Concentrator Name text box, type the name of a PPPoE access concentrator, also known as a PPPoE server. Usually, this option is not used. Select it only if you know there is more than one access concentrator.
- In the Authentication retries text box, type or select the number of times that the Firebox or XTM device can try to make a connection.
The default value is three (3) connection attempts.
- In the Authentication timeout text box, type a value for the amount of time between connection attempt retries.
The default value is 20 seconds between each connection attempt.
- If you configure the PPPoE settings to use a static IP address, you can select one of three options for PPPoE IP address negotiation:
- Send PPPoE client static IP address during PPPoE negotiation — This option configures the device to send the PPPoE client IP address to the PPPoE server during PPPoE negotiation. This is the default setting.
- Don't send PPPoE client static IP address during PPPoE negotiation — This option configures the device not to send the PPPoE client IP address to the PPPoE server.
- Send and enforce PPPoE client static IP address during PPPoE negotiation — This option configures the device to send the PPPoE client IP address to the PPPoE server, and use the configured IP address even if another IP address is obtained from the PPPoE server. To use this option, the device must use Fireware XTM v11.8.1 or higher.
- To configure the Firebox or XTM device to negotiate DNS with the PPPoE server, select the Negotiate DNS with PPPoE Server check box. This is enabled by default. Clear this check box if you do not want the device to negotiate DNS.
- Click OK.
Use DHCP to Get an IPv4 IP Address
- From the Configuration Mode drop-down list, select DHCP.
- If your ISP or external DHCP server requires a client identifier, such as a MAC address, in the Client text box, type this information.
- To specify a host name for identification, in the Host Name text box, type the host name.
- To manually assign an IP address to the external interface, in the Use this IP address text box, type the IP address.
To configure the external interface to obtain an IP address automatically, clear the Use this IP address text box.
- To change the lease time, select the Lease Time check box and specify the value in the adjacent text box and drop-down list.
IP addresses assigned by a DHCP server have an eight hour lease by default; each address is valid for eight hours.
You can optionally enable the DHCP Force Renew option. This feature enables the Firebox or XTM device to handle a FORCERENEW message from your ISP or DHCP provider. The DHCP server sends a FORCERENEW message to request that the DHCP client renew the leased IP address sooner than it ordinarily would, based on the configured lease time. If your ISP or DHCP provider requests that you enable this option, they might also specify a shared key. The shared key is optional, but recommended. If you specify a shared key, it must match the shared key in the FORCERENEW message. If you do not specify a shared key, the Firebox or XTM device responds to any FORCERENEW message, whether a shared key is present or not.
The DHCP Force Renew option is supported in Fireware XTM v11.8.1 and higher.
To enable the Firebox or XTM device to manage a DHCP FORCERENEW request:
- Select the DHCP Force Renew check box.
- (Optional) In the Shared Key text box, type the shared key.
The shared key is encrypted and stored in the configuration file.
About DNS Servers
Your Firebox or XTM device must use a DNS server to resolve host names to IP addresses. If you configure the external interface to use a static IP address, you must also specify the IP address of at least one DNS server so that your device can resolve DNS queries.
For information about how to specify a DNS server, see Add WINS and DNS Server Addresses.
If you configure the external interface to use PPPoE or DHCP to get a dynamic IP address, your device automatically receives a DNS server IP address when it receives the interface IP address.
You can see the DNS servers your device uses on the Dashboard > Interfaces page. For more information, see Interfaces.
Common Interface Settings
About Advanced Interface Settings