Bridge Interfaces

Configure interfaces as a bridge to deploy security devices in a topology without reconfiguration of the IP routing scheme. This is an important advantage for large-scale, complex environments.

Bridge interfaces connect two different interfaces (bridge ports). Bridging two interfaces causes every Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge ports participate in the same Broadcast domain (different from router port behavior). The security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. inspects every Ethernet frame that passes through the bridge.

Important - Only two interfaces can be connected by one Bridge interface, creating a virtual two-port switch. Each port can be a physical, VLAN, or bond device.

You can configure a Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. in the Bridge ModeClosed Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology.. The bridge functions without an assigned IP address. Bridged Ethernet interfaces (including aggregated interfaces) to work like ports on a physical bridge. You can configure the topology for the bridge ports in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. A separate network or group object represents the networks or subnets that connect to each port.

Notes:

  • The name of a Bridge interface in GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. is "br<Bridge Group ID>".

    For example, the name of a bridge interface with a Bridge Group ID of 5 is "br5".

  • Gaia OS supports bridge interfaces that implement native, Layer 2 bridging.

  • Gaia OS does not support Spanning Tree Protocol (STP) bridges.

  • A slave interface that is a part of a bond interface cannot be a part of a bridge interface.

  • For UserCheck to work properly, bridge group must use an IP address on the same subnet as clients or routers that connect to Security Groups.

The bridge interfaces send traffic with Layer 2 addressing. On the same device, you can configure some interfaces as bridge interfaces, while other interfaces work as Layer 3 interfaces. Traffic between bridge interfaces is inspected at Layer 2. Traffic between two Layer 3 interfaces, or between a bridge interface and a Layer 3 interface is inspected at Layer 3.