Systems and methods for designating interfaces of a network security appliance as source/destination interfaces in connection with defining a security rule are provided. According to one embodiment, a security rule configuration interface is displayed through which a network administrator can specify parameters of security rules to be applied to traffic attempting to traverse the network security appliance. Information defining a traffic flow to be controlled by a security rule is received via the security rule configuration interface. The information defining the traffic flow includes: (i) a set of source interfaces; and (ii) a set of destination interfaces. At least one of which includes multiple interfaces such that the security rule permits the traffic flow to be defined in terms of multiple source interfaces and/or multiple destination interfaces.