A primary component of your XTM device setup is the configuration of network interface IP addresses. When you run the Quick Setup Wizard, the external and trusted interfaces are set up so traffic can flow from protected devices to an outside network. You can use the procedures in this section to change the configuration after you run the Quick Setup Wizard, or to add other components of your network to the configuration. For example, you can set up an optional interface for public servers such as a web server.
Your XTM device physically separates the networks on your Local Area Network (LAN) from those on a Wide Area Network (WAN) like the Internet. Your device uses routing to send packets from networks it protects to networks outside your organization. To do this, your device must know what networks are connected on each interface.
We recommend that you record basic information about your network and VPN configuration in the event that you need to contact technical support. This information can help your technician resolve your problem quickly.
Your XTM device supports several network modes:
Mixed routing mode
In mixed routing mode, you can configure your XTM device to send network traffic between a wide variety of physical and virtual network interfaces. This is the default network mode, and this mode offers the greatest amount of flexibility for different network configurations. However, you must configure each interface separately, and you may have to change network settings for each computer or client protected by your XTM device. The XTM device uses Network Address Translation (NAT) to send information between network interfaces.
For more information, see About Network Address Translation (NAT).
The requirements for mixed routing mode are:
In a drop-in configuration, your XTM device is configured with the same IP address on all interfaces. You can put your XTM device between the router and the LAN and not have to change the configuration of any local computers. This configuration is known as drop-in because your XTM device is dropped in to an existing network. Some network features, such as bridges and VLANs (Virtual Local Area Networks), are not available in this mode.
For drop-in configuration, you must:
For more information, see Drop-In Mode.
Bridge mode is a feature that allows you to place your XTM device between an existing network and its gateway to filter or manage network traffic. When you enable this feature, your XTM device processes and forwards all incoming network traffic to the gateway IP address you specify. When the traffic arrives at the gateway, it appears to have been sent from the original device. In this configuration, your XTM device cannot perform several functions that require a public and unique IP address. For example, you cannot configure an XTM device in bridge mode to act as an endpoint for a VPN (Virtual Private Network).
For more information, see Bridge Mode.
You use four interface types to configure your network in mixed routing or drop-in mode:
An external interface is used to connect your XTM device to a network outside your organization. Often, an external interface is the method by which you connect your XTM device to the Internet.
When you configure an external interface, you must choose the method your Internet service provider (ISP) uses to give you an IP address for your XTM device. If you do not know the method, get this information from your ISP or network administrator.
Trusted interfaces connect to the private LAN (local area network) or internal network of your organization. A trusted interface usually provides connections for employees and secure internal resources.
Optional interfaces are mixed-trust or DMZ environments that are separate from your trusted network. Examples of computers often found on an optional interface are public web servers, FTP servers, and mail servers.
Custom interfaces are connected to the internal network of your organization. You can use a custom interface when you want to configure a security zone that is separate from the trusted or optional security zones. For more information about custom interfaces, see Configure a Custom Interface.
In mixed routing mode, you can also configure Bridge, VLAN, and Link Aggregation interfaces. Each of these interface types must be in the External, Trusted, Optional, or Custom security zone. For more information about settings that apply to all interface types, see Common Interface Settings.
For a Firebox T10, XTM 2 Series, 3 Series, or 5 Series device, you can configure failover to an external modem. For more information, see Configure Modem Failover.
When you configure the interfaces on your XTM device, you must use slash notation to denote the subnet mask. For example, you would enter the IPv4 network range 192.168.0.0 subnet mask 255.255.255.0 as 192.168.0.0/24. A trusted interface with the IPv4 address of 10.0.1.1/16 has a subnet mask of 255.255.0.0.
For more information on slash notation, see About Slash Notation.
After you enable at least one wireless access point on a Firebox or XTM wireless device that uses Fireware XTM v11.9 or higher, the interface list includes three interfaces that correspond to the wireless access points.
You cannot enable, disable, or edit the wireless interfaces from the Interfaces page. To edit a wireless interface, select Network > Wireless.
For information about wireless interface configuration settings, see Enable Wireless Connections (Fireware XTM OS v11.9.x and Higher).
About Using Multiple External Interfaces