Change an Interface on a Threat Defense Logical Device

You can allocate or unallocate an interface, or replace a management interface on the threat defense logical device. You can then sync the interface configuration in the management centerthe .

Adding a new interface, or deleting an unused interface has minimal impact on the threat defense configuration. However, deleting an interface that is used in your security policy will impact the configuration. Interfaces can be referenced directly in many places in the threat defense configuration, including access rules, NAT, SSL, identity rules, VPN, DHCP server, and so on. Policies that refer to security zones are not affected. You can also edit the membership of an allocated EtherChannel without affecting the logical device or requiring a sync on the management centerthe .

Deleting an interface will delete any configuration associated with that interface.

Before you begin

  • Configure your interfaces, and add any EtherChannels according to Configure a Physical Interface and Add an EtherChannel (Port Channel).

  • If you want to add an already-allocated interface to an EtherChannel (for example, all interfaces are allocated by default to a cluster), you need to unallocate the interface from the logical device first, then add the interface to the EtherChannel. For a new EtherChannel, you can then allocate the EtherChannel to the device.

  • If you want to replace the management or eventing interface with a management EtherChannel, then you need to create the EtherChannel with at least 1 unallocated data member interface, and then replace the current management interface with the EtherChannel. After the threat defense device reboots (management interface changes cause a reboot), and you sync the configuration in the management centerthe , you can add the (now unallocated) management interface to the EtherChannel as well.

  • For clustering or High Availability, make sure you add or remove the interface on all units before you sync the configuration in the management centerthe . We recommend that you make the interface changes on the data/standby unit(s) first, and then on the control/active unit. Note that new interfaces are added in an administratively down state, so they do not affect interface monitoring.

  • In mult-instance mode, for changing a sub-interface with an another sub-interface with the same vlan tag, you must first remove all the configuration (including nameif config) of the interface and then unalloacte the interface from chassis manager. Once unallocated, add the new interface and then use sync interfaces from the management center.

Procedure

Step 1

In the chassis manager, choose Logical Devices.

Step 2

Click the Edit icon at the top right to edit the logical device.

Step 3

Allocate a new data interface by selecting the interface in the Data Ports area.

Do not delete any interfaces yet.

Step 4

Replace the management or eventing interface:

For these types of interfaces, the device reboots after you save your changes.

  1. Click the device icon in the center of the page.

  2. On the General or Cluster Information tab, choose the new Management Interface from the drop-down list.

  3. On the Settings tab, choose the new Eventing Interface from the drop-down list.

  4. Click OK.

If you change the IP address of the Management interface, then you must also change the IP address for the device in the management center: go to Devices > Device Management > Device/Cluster. In the Management area, set the IP address to match the bootstrap configuration address.

Step 5

Click Save.

Step 6

Sync the interfaces in the management center.

  1. Log into the management center.

  2. Select Devices > Device Management and click Edit (edit icon) for your threat defense device. The Interfaces page is selected by default.

  3. Click the Sync Device button on the top left of the Interfaces page.

  4. After the changes are detected, you will see a red banner on the Interfaces page indicating that the interface configuration has changed. Click the Click to know more link to view the interface changes.

  5. If you plan to delete an interface, manually transfer any interface configuration from the old interface to the new interface.

    Because you have not yet deleted any interfaces, you can refer to the existing configuration. You will have additional opportunity to fix the configuration after you delete the old interface and re-run the validation. The validation will show you all locations in which the old interface is still used.

  6. Click Validate Changes to make sure your policy will still work with the interface changes.

    If there are any errors, you need to change your policy and rerun the validation.

  7. Click Save.

  8. Click Deploy > Deployment.

  9. Select the devices and click Deploy to deploy the policy to the assigned devices. The changes are not active until you deploy them.

Step 7

In the chassis manager, unallocate a data interface by de-selecting the interface in the Data Ports area.

Step 8

Click Save.

Step 9

Sync the interfaces again in the management centerthe .