User Guide 11
• You use one logical network for all three interfaces.
• The Firebox uses proxy ARP. The trusted interface ARP address replaces the ARP address of the
router. It then resolves the ARP data for those devices behind the Firebox that cannot receive the
• During installation, it is not necessary to change the TCP/IP properties of computers on the trusted
and optional interfaces. The router cannot receive the transmitted ARP data from the trusted host,
but the Firebox continues to control ARP data for the router.
• Usually, the Firebox is the default gateway as an alternative to the router.
• You must flush the ARP cache of each computer on the trusted network.
• A large part of a LAN is on the trusted interface because there is a secondary network for the LAN.
With a drop-in configuration you do not have to change the configuration of each computer on the
trusted network that has a public IP address. But, a drop-in configuration is not easy to manage. It can
also be more difficult to troubleshoot problems.
Adding secondary networks to your configuration
A secondary network is a different network that connects to a Firebox interface with a switch or hub.
When you add a secondary network, you map an IP address from the secondary network to the IP address
of the Firebox interface. Thus, you make (or add) an IP alias to the network interface. This IP alias is the
default gateway for all the computers on the secondary network. The secondary network also tells the
Firebox that there is one more network on the Firebox interface.
To add a secondary networks, do one of these procedures:
Use the Quick Setup Wizard during installation
Enter an IP address for the secondary network in the Quick Setup Wizard, as described in “Using the
Quick Setup Wizard” on page 6. This is the default gateway for your secondary private network.
Add the secondary network after the Firebox installation is complete
Use Policy Manager to add secondary networks to an interface. For information on how to use Policy
Manager, see the
Dynamic IP support on the external interface
If you use dynamic IP addressing, you must select routed configuration.