Managing the roles of physical interfaces

Physical interfaces (ports) of a Kaspersky NGFW device can have the following roles:

• A data plane interface is for user traffic processing.

  Data plane interfaces can receive and send Jumbo frames with an L2 MTU (maximum transmission unit) value from 64 to 9216 bytes. If Kaspersky NGFW receives a frame (hereinafter also referred to as a packet) with an L2 MTU of more than 9216 bytes, such a packet is dropped. You cannot change the allowed L2 MTU value for Kaspersky NGFW.

• A dedicated management interface is for managing the Kaspersky NGFW device. When a Kaspersky NGFW device experiences a denial of service attack or similar traffic, the device remains accessible through its dedicated management interfaces.

You can change the roles of physical interfaces individually or assign the same role to multiple physical interfaces at the same time, if the same network template is applied to the devices of these interfaces. By default, Kaspersky NGFW is delivered with one physical dedicated management interface. All other physical interfaces are data plane interfaces.

It is not possible to simultaneously assign the data plane interface role and the dedicated management interface role to the same physical interface.

In the list of network interfaces, the selected management interfaces in the Type column are marked with the Dedicated management port tag.

You can choose to assign the dedicated management interface role to any number of physical interfaces of Kaspersky NGFW. It is acceptable to assign only the data plane interface role or only the dedicated management interface role to all physical interfaces.

You can manage the settings of a physical interface with the dedicated management port role only in a network template; you cannot manage settings on the device.

You can also use the command line to change the role of a Kaspersky NGFW physical interface. The dedicated management interface role can only be assigned to physical interfaces that satisfy the following conditions:

• The physical interface has no subinterfaces.

  If you want to make the physical interface a dedicated management interface, you must first remove its subinterfaces.

• The physical interface is not part of an aggregated interface.

  If you want to make the physical interface a dedicated management interface, you must first remove the physical interface from the aggregated interface.

• The physical interface is not an aggregated interface.
• The physical interface is not part of a bridge.
• The physical interfaces has not been added to an L2 security zone

Managing the roles of physical interfaces in the Console

To change the role of a Kaspersky NGFW physical interface:

1. In the main menu of the Open Single Management Platform Console, go to the Application & Services → NGFW section.
2. Go to the list of interfaces in one of the following ways:
   • If you want to change the role of an interface in a device template, in the menu, select the Network templates tab, click the device template, and select the Interfaces section.
   • If you want to change the role of an interface on a Kaspersky NGFW device, select the Devices tab in the menu, click a Kaspersky NGFW device and select the Interfaces section.

   The table of network interfaces is displayed.

3. Do one of the following:
   • If you want to create a new interface and assign the dedicated management interface role to it, click Create in the upper workspace.
   • If you want to assign the dedicated management interface role to an existing physical interface, select an interface of the Physical type in the table and click Edit in the upper workspace.

     You cannot change the role of an existing interface if it has subinterfaces, or if it is part of an aggregated interface or a network bridge.

4. In the pane that is displayed, on the General tab, under the Role setting, select Data plane or Dedicated management port and save your changes.
5. If you changed the role of an interface on an individual Kaspersky NGFW device, restart this device for the changes to take effect.
6. If you have changed the role of an interface in a template, restart all devices that use the interface settings from this template (the Override check box is cleared in the interface settings on the device) for the changes to take effect.

Managing the roles of physical interfaces on the command line

To change the role of a Kaspersky NGFW physical interface on the command line:

1. To find out the role of a specific interface, run the following command:

   show interfaces name <interface name>

2. Go to the interface configuration menu by running the following command on the command line:

   interface <interface name>

   where <interface name> is the name of the physical interface whose role you want to change.

3. Proceed to configure the role of the physical interface by issuing the control command.
4. Assign the necessary role to the physical interface by issuing one of the following commands:
   • dataplane-interface to make the interface a data plane interface.

     The data plane interface is included in the VRF Main network segment. On some platforms, it is not possible to assign the data plane interface role to some physical interfaces.

   • no dataplane-interface to make the interface a dedicated management interface.

     If the physical interface had been included in a security zone before the dedicated management interface role was assigned to the physical interface, the security zone for the dedicated management interface is reset and cannot be configured. The dedicated management interface is included in the network segment of the 'Management' virtual routing and forwarding table (VRF).

5. If you want to exit the active menu, run the following command:

   exit

6. For the changes to take effect, apply the Kaspersky NGFW configuration changes and restart the device.

For a description of command families and a link to the complete list of Kaspersky NGFW configuration commands, see the Managing Kaspersky NGFW using the command line document.

Special considerations and limitations of dedicated management interfaces

The following special considerations and limitations are involved with dedicated management interfaces:

• You cannot include a dedicated management interface in a security zone.

  When you make an interface a dedicated management interface, the security zone settings are not available.

• You cannot change the network segment type of the dedicated management interface. Dedicated management interfaces are always included in the VRF Management network segment.

  Only dedicated management interfaces can be included in the VRF Management network segment. When the role of an interface is changed to dedicated management port, the interface is automatically included in the VRF Management network segment.

• You cannot create subinterfaces for dedicated management interfaces.
• You cannot add dedicated management interfaces to an aggregate interface or to a network bridge.

Page top