Topics on this page
Detect and configure interfaces available on a computer
The Computer editor contains an Interfaces page and the Policy editor contains an Interface Types page, both of which display interfaces detected on the computer. If a policy with multiple interface assignments has been assigned to the computer, interfaces that match the patterns defined in the policy are identified.
The Interface Types page of the Policy editor provides additional configuration options, such as the interface isolation and multiple interfaces.
Configure a policy for multiple interfaces
If you have computers with more than one interface, you can assign various elements of a policy, such as, for example, firewall rules, to each interface.
-
In the Policy editor, click Interface Types.
-
In Network Interface Specificity, select Rules can apply to specific interfaces.
-
In Interface Type, type the names and pattern-matching strings.
The interface type name is used only for reference. Common names include LAN, WAN, DMZ, and Wi-Fi, though any name can be used to map to your network's topology.
The interface name used for all container network interfaces and host virtual interfaces is integrated_veth, which has a MAC address of 02:00:00:00:00:00.
The matches define a wildcard-based interface name to automatically map the interfaces to the appropriate interface type. For example, "Local Area Connection *", "eth*", or "Wireless *". When an interface cannot be mapped automatically, an alert is triggered. You can manually map it from the Interfaces page in the Computer editor for a particular computer.
If Workload Security detects interfaces on the computer that do not match any of these entries, it triggers an alert.
Enforce interface isolation
When Interface Isolation is enabled, the firewall tries to match the regular expression patterns to interface names on the local computer. To enforce interface isolation, click Enable Interface Isolation on the Policy or Computer Editor > Firewall > Interface Isolation tab and enter string patterns that match the names of the interfaces on a computer (in order of priority).
Before you enable Interface Isolation, make sure that you have configured the interface patterns in the proper order and that you have removed or added all necessary string patterns. Only interfaces matching the highest priority pattern are permitted to transmit traffic. Other interfaces (which match any of the remaining patterns on the list) are restricted. Restricted Interfaces block all traffic unless an Allow Firewall Rule is used to allow specific traffic to pass through.
Selecting Limit to one active interface restricts traffic to only a single interface even if more than one interface matches the highest priority pattern.
Workload Security uses POSIX Basic Regular Expressions to match interface names. For more information, see Basic Regular Expressions.