Interface types on WatchGuard firewalls are not something to configure without planning and thought. The reason behind this is due to the system-generated aliases (blue font indicates system-generated items). When you create multiple interfaces with the same type, it is possible to overlap interfaces in your firewall policies. An example of this would be creating an interface for your internal network with the interface type ‘Trusted’, and creating another interface for your DMZ Network with the interface type of ‘Trusted’. With this configuration, all policies that reference ‘Any-Trusted’ will allow (or deny) traffic from both of these interfaces. This can also happen with the interface type of ‘Optional’.

To ensure that this does not happen in your environment, JSCM Group’s recommendation is to create other interfaces on your firewall using the ‘Custom’ interface type. ‘Custom’ is different from ‘Trusted’ and ‘Optional’, in that, there is not a system-generated alias for ‘Any-Custom’ like there is with ‘Any-Trusted’ and ‘Any-Optional’. Because of this, any policies that will include that interface must be specified individually. This alleviates the concern of overlapping interfaces within a single policy reference. The only difference in these interface types is how they are referenced in policies, as each type can function as another assuming that policies are written appropriately.