GRETAP interface

Set the switch to ON/OFF to enable or disable the interface.
Disabled interfaces cannot be used. An interface that has been disabled because it is not in use, or will be deployed later, is an additional security measure against intrusions.

An interface can be:

• Internal (protected): when this option is selected, this means that the interface is protected (a shield appears). a protected interface only accepts packets coming from a known address range, such as a directly connected network or a network defined by a static route. This protection includes remembering machines that have logged on to this interface, conventional traffic security mechanisms (TCP) and implicit rules for services offered by the firewall such as DHCP.

• External (public): choosing this option indicates that the interface does not benefit from the protection of a protected interface and can therefore receive packets coming from any address range (which are not assigned to internal interfaces). This type of interface is used mainly to connect the firewall to the Internet.

Selecting this option indicates that the IP address of the interface is dynamic (obtained via DHCP) or static. This will unlock the IPv4 address field.

When this option is selected, the IP address of the interface will be defined by DHCP. An Advanced DHCP properties zone appears with the following parameters:

• DNS name (optional): a fully qualified DHCP host name (FQDN) can be indicated for the DHCP request.
  
  If a value is entered in this field and the external DHCP server has the option of automatically updating the DNS server, the DHCP server automatically updates the DNS server with the name of the firewall, its assigned IP address and allocated lease time (field below).

• Requested lease time (seconds): in addition to the DNS name, enter the duration for which the IP address is kept before renegotiation.

• Request domain name servers from the DHCP server and create host objects: select this parameter so that the firewall will retrieve DNS servers from the DHCP server (access provider, for example) that provided its IP address. When this option is selected, two objects will be created: Firewall_<interface name>_dns1 and Firewall_<interface name>_dns2. They can then be used in the configuration of the DHCP service. So if the firewall provides the users on its network with a DHCP service, the users will also benefit from the DNS servers given by the access provider.

When this option is selected, the IP address of the interface will be static. A grid appears, in which you must add the IP address and its subnet mask. Several IP addresses and associated masks can be added if aliases need to be created, for example. These aliases allow you to use the firewall as a central routing point. As such, an interface can be connected to various sub-networks with a different address range.

If you add several IP addresses (aliases) to the same address range, these addresses must all have the same mask. Reloading the network configuration will apply this mask to the first address and a /32 mask to the addresses that follow.

This option will ask the firewall to not modify the destination in the Ethernet layer when a packet goes through it. The packet will be resent to the same MAC address from which it was received. The purpose of this option is to facilitate the integration of firewalls transparently into an existing network, as this makes it possible to avoid the need for modifying the default route of machines on the internal network.