Aggregate

This feature is available only on SN-S-Series-220, SN-S-Series-320, SN510, SN-M-Series-520, SN710, SN-M-Series-720, SN910, SN-M-Series-920, SN1100, SN2000, SN2100, SN3000, SN3100, SN6000, SN6100, SNi20 and SNi40 models. There are several types of aggregates (LACP, Broadcast mode and Redundancy). You can select the desired type in the Advanced properties tab.

NOTE
The use of stackable switches is recommended as this would allow link redundancy between both appliances.

Adding an aggregate

Adding an aggregate without members

  1. Click on Add.
  2. Scroll over Aggregate.
  3. Click on No members.
  4. Give the new aggregate a name, then click on Apply.
    The new aggregate will be added to the interfaces and its control panel appears.

Adding an aggregate that contains selected interfaces

  1. Select the interfaces to include in the new aggregate beforehand.
  2. Click on Add.
  3. Scroll over Aggregate.
  4. Click on With interface_1, interface_2 ....
  5. Give the new aggregate a name, then click on Apply.
    The new aggregate will be added to the interfaces and its control panel appears.

Aggregate control panel

Double-click on an aggregate control panel to open it. There are several tabs in the control panel.

Status

ON / OFF

Set the switch to ON / OFF to enable or disable the aggregate.

General settings

Name Name of the aggregate. This name can be changed.
Comments Allows you to enter comments regarding the interface.
This interface is

An interface can be:

  • Internal (protected): when this option is selected, this means that the interface is protected (a shield appears). a protected interface only accepts packets coming from a known address range, such as a directly connected network or a network defined by a static route. This protection includes remembering machines that have logged on to this interface, conventional traffic security mechanisms (TCP) and implicit rules for services offered by the firewall such as DHCP.

  • External (public): choosing this option indicates that the interface does not benefit from the protection of a protected interface and can therefore receive packets coming from any address range (which are not assigned to internal interfaces). This type of interface is used mainly to connect the firewall to the Internet.

Address range

Address range inherited from the bridge When this option is selected, the interface becomes part of a bridge. Several parameters, such as the address range, will then be inherited from the bridge. This will unlock the Bridge field. Select the parent bridge of the interface in this field.
Dynamic / Static

Selecting this option indicates that the IP address of the interface is dynamic (obtained via DHCP) or static. This will unlock the IPv4 address field.
Dynamic IP (obtained by DHCP)

When this option is selected, the IP address of the interface will be defined by DHCP. An Advanced DHCP properties zone appears with the following parameters:

  • DNS name (optional): a fully qualified DHCP host name (FQDN) can be indicated for the DHCP request.

    If a value is entered in this field and the external DHCP server has the option of automatically updating the DNS server, the DHCP server automatically updates the DNS server with the name of the firewall, its assigned IP address and allocated lease time (field below).

  • Requested lease time (seconds): in addition to the DNS name, enter the duration for which the IP address is kept before renegotiation.

  • Request domain name servers from the DHCP server and create host objects: select this parameter so that the firewall will retrieve DNS servers from the DHCP server (access provider, for example) that provided its IP address. When this option is selected, two objects will be created: Firewall_<interface name>_dns1 and Firewall_<interface name>_dns2. They can then be used in the configuration of the DHCP service. So if the firewall provides the users on its network with a DHCP service, the users will also benefit from the DNS servers given by the access provider.
Fixed IP (static)

When this option is selected, the IP address of the interface will be static. A grid appears, in which you must add the IP address and its subnet mask. Several IP addresses and associated masks can be added if aliases need to be created, for example. These aliases allow you to use the firewall as a central routing point. As such, an interface can be connected to various sub-networks with a different address range.

If you add several IP addresses (aliases) to the same address range, these addresses must all have the same mask. Reloading the network configuration will apply this mask to the first address and a /32 mask to the addresses that follow.

Managing members

To add or remove members from the aggregate, move the interfaces from one section to another by using the arrows, dragging and dropping, or double-clicking on the interface. An interface that becomes a member of an aggregate loses its settings to inherit the configuration of the aggregate (except the name and Media settings).

The maximum number of members that an aggregate can contain varies based on its type:

  • LACP: Maximum 8 members,

  • Broadcast mode: Maximum 2 members,

  • Redundancy: 2 members (includes 1 "Master" member that must be defined).

The type of aggregate and Master member are chosen in the Advanced properties tab.

Other settings

MTU Maximum length of frames (in bytes) sent over the physical medium (Ethernet) so that they are sent at one go without fragmentation. This option is not available for interfaces contained in a bridge.
Physical (MAC) address Makes it possible to specify a MAC address for an interface instead of using the address assigned by the firewall. If the interface is contained in a bridge, it will have the same MAC address as the bridge.

Aggregate type

LACP

When this option is selected, the aggregate is LACP-based. The LACP (IEEE 802.3ad - Link Aggregation Control Protocol) feature helps improve the firewall’s bandwidth while maintaining a high level of availability (link redundancy). Several physical ports on a firewall can be grouped together to be considered a single logical interface. Therefore, by aggregating x links, it is possible to set up a link of x times 1 Gbps or 10 Gbps between two appliances.

NOTE
Ensure that the remote appliances are using LACP.
Broadcast mode

When this option is selected, the aggregate is Broadcast mode-based. With this mode, packets can be sent and received over all links included in an aggregate.

NOTE
The device that is connected to the firewall's aggregated interfaces in broadcast mode must support such communications:
  • Either by having one active interface and a second passive interface (main/backup),
  • Or by ignoring frames that originate from one of the links.
Redundancy When this option is selected, the aggregate is redundancy-based. With the redundancy feature, a backup link can be set up in case the main link (Master ) stops responding.
Main interface Select the main interface from the drop-down menu. It appears as the Master in the list of aggregate members in the General configuration tab. This field can only be accessed if it is a Redundancy aggregate.