Print Download PDF Send Feedback

Previous

Next

Deploying a Security Gateway or a ClusterXL in Bridge Mode

If you install a new Security Gateway in a network and cannot change the IP routing scheme, use bridge mode. A Security Gateway in bridge mode is invisible to Layer-3 traffic. When authorized traffic arrives, the Security Gateway passes it to the next interface through bridging. This creates a Layer-2 relationship between two or more interfaces. Traffic that enters one interface exits the other interface. Bridging lets the Security Gateway inspect and forward traffic, without the original IP routing.

Before configuring the bridge, install the Security Gateway.

To manage the gateway in bridge mode:

To configure a bridge interface in the Gaia Portal:

  1. In the Gaia Portal navigation tree, select Network Interfaces.
  2. Click Add > Bridge, or select an interface and click Edit.

    The Add (or Edit) Bridge window opens.

  3. On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).
  4. Select the interfaces from the Available Interfaces list and then click Add.
  5. Click the IPv4 or IPv6 tabs, and then enter the IP addresses and subnet.

    Or click Obtain IP Address automatically.

  6. Click OK.

To configure a bridge interface with the CLI:

  1. Run: add bridging group <Group Name> interface <physical interface name>
  2. Run again for each interface in the bridge.
  3. Run: save config
  4. Add a bridge interface IP address:
    • IPv4: set interface <Group Name> ipv4-address <IP> subnet-mask <Mask>
    • IPV6: set interface <Group Name> ipv6-address <IP> mask-length <Prefix>
  5. Run: save config

Supported Software Blades in Bridge Mode

This table lists Software Blades, features, and their support for the Bridge Mode. This table applies to single Security Gateway deployment, ClusterXL (with one switch) in Active/Active and Active/Standby deployment, and ClusterXL with four switches.

Software Blade

Support of a
Security Gateway
in Bridge Mode

Support of a
ClusterXL
in Bridge Mode

Support of VSX Virtual Systems
in Bridge Mode

Firewall

Yes

Yes

Yes

IPS

Yes

Yes

Yes

URL Filtering

Yes

Yes

Yes

DLP

Yes

Yes

No

Anti-Bot

Yes

Yes

Yes

Anti-Virus

Yes (1)

Yes (1)

Yes (1)

Application Control

Yes

Yes

Yes

HTTPS Inspection

Yes (2)

Yes (2)

No

Identity Awareness

Yes (3)

Yes (3)

No

Threat Emulation -

ThreatCloud emulation

Yes

Yes

Yes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode

Threat Emulation -

Local emulation

Yes

Yes

No in all Bridge Modes

Threat Emulation -

Remote emulation

Yes

Yes

Yes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode

UserCheck

Yes

Yes

No

QoS

Yes (see sk89581)

No (see sk89581)

No (see sk79700)

HTTP / HTTPS proxy

Yes

Yes

No

Security Servers - SMTP, HTTP, FTP, POP3

Yes

Yes

No

Client Authentication

Yes

Yes

No

User Authentication

Yes

Yes

No

Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss Prevention Portal, and so on)

Yes

No

No

IPsec VPN

No

No

No

Mobile Access

No

No

No

Notes:

  1. Does not support the Anti-Virus in Traditional Mode.
  2. HTTPS Inspection in Layer 2 works as Man-in-the-Middle, based on MAC addresses:
    • Client sends a TCP [SYN] packet to the MAC address X.
    • Security Gateway creates a TCP [SYN-ACK] packet and sends it to the MAC address X.
    • Security Gateway in Bridge Mode does not need IP addresses, because CPAS takes the routing and the MAC address from the original packet.

    Note - To be able to perform certificate validation (CRL/OCSP download), Security Gateway needs at least one interface to be assigned with an IP address. Probe bypass can have issues with Bridge Mode. Therefore, we do not recommend Probe bypass in Bridge Mode configuration.

  3. Identity Awareness in Bridge Mode supports only the AD Query authentication.

For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.

Limitations in Bridge Mode

You can configure only two slave interfaces in a single Bridge interface. You can think of this Bridge interface as a two-port Layer 2 switch. Each port can be a Physical interface, a VLAN interface, or a Bond interface.

These features and deployments are not supported in Bridge Mode:

For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.

Configuring a Single Security Gateway in Bridge Mode

SingleGWBridge

Item

Description

1

Security Gateway that bridges Layer 2 traffic between the two network segments

2 and 3

Switches that connect the network segments to the Security Gateway in Bridge Mode

4

Network divided into two segments by the Security Gateway in Bridge Mode

To define the bridge topology:

  1. Configure a dedicated management interface.
  2. Configure the bridge interface. It must be in the bridged subnet. Only the bridge interface has an IP address. The bridge ports must not have IP addresses.
  3. Configure the bridge topology in the properties of the network object:
    • If a bridge port connects to the Internet, set the interface to External.
    • If the Security Gateway is in rules with Internet objects, set the interface to External.
    • If the topology uses Anti-Spoofing for the internal port (interface), set the interface to Internal and select the network that connects to the port.
    • If the topology does not use Anti-Spoofing, disable Anti-Spoofing on the bridge port.

    For example:

    Bridge Interface - eth0 - External - 192.0.2.0.208/24

    Bridge Port to Internet - eth1 - External - 0.0.0.0/0

    Bridge Port with Anti-Spoofing - eth2 - Internal to CP_default_Office network - 0.0.0.0/0

16 February 2020 © 2020 Check Point Software Technologies Ltd. All rights reserved.