Interface

Interface objects segment your network to help you manage and classify traffic flow. An interface object simply groups interfaces. These groups may span multiple devices; you can also configure multiple interface objects on a single device.

There are two types of interface objects:

  • Security zones—An interface can belong to only one security zone.

  • Interface groups—An interface can belong to multiple interface groups (and to one security zone).

    You can use interface groups in NAT policies, prefilter policies, and QoS policies.

Although tunnel zones are not interface objects, you can use them in place of security zones in certain configurations; see Tunnel Zones and Prefiltering.

Caution

Remember that changes to security zone objects can modify the security zone universal unique identifier (UUID). Some changes to security zone objects that can modify the UUID are:

  • Changes to security zone interface objects

  • Changes to the subsystem: Objects > Object Management > Security Zone

In case you have already made changes, remember to update the new UUID in all the (external) systems.

All interfaces in an interface object must be of the same type: all inline, passive, switched, routed. After you create an interface object, you cannot change the type of interfaces it contains.

To view the interfaces that belong to each object, navigate to Objects > Object Management and click Interface. This page lists the security zones and interface groups configured on your managed devices. You can expand each interface object to view the type of interfaces in each interface object.

Note

Create inline sets before you add security zones for the interfaces in the inline set; otherwise security zones are removed and you must add them again.

Security Zones Vs. Interface Groups

Question: For features that support both security zones and interface groups, how do you determine which object type to use?

Answer: Unless you need the functionality an interface group provides, you should default to using security zones because security zones are supported for all features.

Question: How do I know if I need to use an interface group?

Answer: See the following examples.

Interface Objects and Multitenancy

In a multidomain deployment, you can create interface objects at any level. An interface object created in an ancestor domain can contain interfaces that reside on devices in different domains. In this situation, subdomain users viewing the ancestor interface object configuration in the object manager can see only the interfaces in their domain.

Unless restricted by role, subdomain users can view and edit interface objects created in ancestor domains. Subdomain users can add and delete interfaces from these interface objects. They cannot, however, delete or rename the interface objects. You can neither view nor edit interface objects created in descendant domains.