Configure a Custom Interface
A custom interface enables you to define a custom security zone that is separate from the predefined trusted, optional, and external zones. A custom interface is not a member of the built-in aliases Any-Trusted, Any-Optional, or Any-External. Because a custom interface is not included in the built-in aliases, traffic for a custom interface is not allowed through the Firebox unless you specifically configure policies to allow it.
You can configure a physical interface, wireless interface, Bridge, VLAN, or Link Aggregation interface as a custom interface. When you configure an interface as a custom interface, the network settings you can configure are the same as for a trusted or optional interface.
When to Use a Custom Interface
These examples show how you can use a custom interface:
To enable a wireless network for guest users, you can configure an access point in the Custom zone and use the wireless interface alias in policies that you want to handle traffic from wireless clients. For example, to set up Access Point 1 on a Firebox wireless device as a guest network:
- In the Wireless Access Point 1 configuration, set the Interface Type to Custom, and configure the network settings.
- Use the alias WG-Wireless-Access-Point1 in the policies you want to handle traffic for connected wireless clients.
If you already have trusted and optional networks, and you want to configure a third internal security zone, you can configure one or more interfaces or wireless access points as Custom. You then add these custom interfaces to a new alias. Use the new alias in policies that you want to handle traffic from this network.
For example, to create a Semi-Trusted security zone that includes both wired and wireless networks:
- Configure interfaces 1 and 2 as Custom and configure the network settings.
- Configure Access Point 1 and Access Point 2 as Custom and configure the network settings.
- Create a new alias, Semi-Trusted, that includes the two custom interfaces, and the two custom access points as members.
- Use the Semi-Trusted alias in policies you want to handle traffic for clients connected to any of these networks.
For more information about aliases, go to About Aliases.
Configure the Interface
To configure a physical interface as a custom network interface, you set the Interface Type to Custom. Then configure all other interface settings as you would for a trusted or optional interface.
- Select Network > Interfaces.
The Network Interfaces dialog box appears. - Select an interface and click Configure.
The Interface Configuration dialog box appears. - In the Interface Name (Alias) text box, you can use the default name or change it to one that more closely reflects your own network.
Make sure the name is unique among interface names, and is not used for any Mobile VPN group names or tunnel names. You can use this alias with other features, such as proxy policies, to manage network traffic for this interface. - (Optional) In the Interface Description text box, type a description of the interface.
- From the Interface Type drop-down list, select Custom.
- In the IP Address text box, type the IPv4 address in slash notation. For information about IP addresses to use for trusted and optional networks, go to About Private IP Addresses.
- Configure other interface settings.
- For information about how to automatically assign IPv4 addresses to clients that connect to a trusted or optional interface, go to Configure an IPv4 DHCP Server or Configure DHCP Relay.
- For information about how to use more than one IPv4 address on a single physical network interface, go to Add a Secondary Network IP Address.
- For information about how to configure an interface to use an IPv6 address, go to Configure IPv6 for a Trusted or Optional Interface.
- Click Save.
- Select Network > Configuration.
The Network Configuration dialog box appears. - Select an interface and click Configure.
The Interface Settings dialog box appears. - In the Interface Name (Alias) text box, you can use the default name or change it to one that more closely reflects your own network.
Make sure the name is unique among interface names, and is not used for any Mobile VPN group names or tunnel names. You can use this alias with other features, such as proxy policies, to manage network traffic for this interface. - (Optional) In the Interface Description text box, type a description of the interface.
- From the Interface Type drop-down list, select Custom.
- In the IP Address text box, type the IPv4 address in slash notation. For information about IP addresses to use for trusted and optional networks, go to About Private IP Addresses.
- Configure other interface settings.
- For information about how to automatically assign IPv4 addresses to clients that connect to a trusted or optional interface, go to Configure an IPv4 DHCP Server or Configure DHCP Relay.
- For information about how to use more than one IPv4 address on a single physical network interface, go to Add a Secondary Network IP Address.
- For information about how to configure an interface to use an IPv6 address, go to Configure IPv6 for a Trusted or Optional Interface.
- Click OK.
To configure a wireless, VLAN, Bridge, or Link Aggregation interface as a custom interface, set the Interface Type to Custom, and configure all other interface settings as you would for a trusted or optional interface.
After you configure an interface as a custom interface, you must configure policies to allow traffic to and from the interface. You can edit the existing policies or create new policies that use the custom interface name. Or, you can create a new alias that includes multiple custom interfaces, and then use that custom alias in policies. For more information about aliases, go to About Aliases.