Change an Interface on a Firewall Threat Defense Logical Device

You can allocate or unallocate an interface on the Firewall Threat Defense logical device. You can then sync the interface configuration in the Firewall Management Center.

Adding a new interface, or deleting an unused interface has minimal impact on the Firewall Threat Defense configuration. However, deleting an interface that is used in your security policy will impact the configuration. Interfaces can be referenced directly in many places in the Firewall Threat Defense configuration, including access rules, NAT, SSL, identity rules, VPN, DHCP server, and so on. Policies that refer to security zones are not affected. You can also edit the membership of an allocated EtherChannel without affecting the logical device or requiring a sync on the Firewall Management Center.

Deleting an interface will delete any configuration associated with that interface.

Before you begin

  • Configure your interfaces, and add any EtherChannels according to Configure a Physical Interface and Add an EtherChannel (Port Channel).

  • If you want to add an already-allocated interface to an EtherChannel (for example, all interfaces are allocated by default to a cluster), you need to unallocate the interface from the logical device first, then add the interface to the EtherChannel. For a new EtherChannel, you can then allocate the EtherChannel to the device.

  • For clustering or High Availability, make sure you add or remove the interface on all units before you sync the configuration in the Firewall Management Center. We recommend that you make the interface changes on the data/standby unit(s) first, and then on the control/active unit. Note that new interfaces are added in an administratively down state, so they do not affect interface monitoring.

  • In mult-instance mode, for changing a sub-interface with an another sub-interface with the same vlan tag, you must first remove all the configuration (including nameif config) of the interface and then unalloacte the interface from Firewall Chassis Manager. Once unallocated, add the new interface and then use sync interfaces from the Firewall Management Center.

Procedure

Step 1

Sync the interfaces in the Firewall Management Center.

  1. Log into the Firewall Management Center.

  2. Select Devices > Device Management and click Edit (edit icon) for your Firewall Threat Defense device. The Interfaces page is selected by default.

  3. Click the Sync Device button on the top left of the Interfaces page.

  4. After the changes are detected, you will see a red banner on the Interfaces page indicating that the interface configuration has changed. Click the Click to know more link to view the interface changes.

  5. If you plan to delete an interface, manually transfer any interface configuration from the old interface to the new interface.

    Because you have not yet deleted any interfaces, you can refer to the existing configuration. You will have additional opportunity to fix the configuration after you delete the old interface and re-run the validation. The validation will show you all locations in which the old interface is still used.

  6. Click Validate Changes to make sure your policy will still work with the interface changes.

    If there are any errors, you need to change your policy and rerun the validation.

  7. Click Save.

  8. Click Deploy > Deployment.

  9. Select the devices and click Deploy to deploy the policy to the assigned devices. The changes are not active until you deploy them.

Step 2

Sync the interfaces again in the Firewall Management Center.