Deploying a Security Gateway or a ClusterXL in Bridge Mode

In This Section: Supported Software Blades in Bridge Mode Limitations in Bridge Mode Configuring a Single Security Gateway in Bridge Mode Configuring a ClusterXL in Bridge Mode Routing and Bridge Interfaces Managing a Security Gateway through the Bridge Interface IPv6 Neighbor Discovery Configuring Link State Propagation (LSP)

If you cannot divide the existing network into several networks with different IP addresses, you can install a Check Point Security Gateway (or a ClusterXL) in the Bridge Mode. A Security Gateway (or ClusterXL) in Bridge Mode is invisible to Layer 3 traffic. When traffic arrives at one of the bridge slave interfaces, the Security Gateway (or Cluster Members) inspects it and passes it to the second bridge slave interface.

Supported Software Blades in Bridge Mode

This table lists Software Blades, features, and their support for the Bridge Mode. This table applies to single Security Gateway deployment, ClusterXL (with one switch) in Active/Active and Active/Standby deployment, and ClusterXL with four switches.

Software Blade	Support of a Security Gateway in Bridge Mode	Support of a ClusterXL in Bridge Mode	Support of VSX Virtual Systems in Bridge Mode
Firewall	Yes	Yes	Yes
IPS	Yes	Yes	Yes
URL Filtering	Yes	Yes	Yes
DLP	Yes	Yes	No
Anti-Bot	Yes	Yes	Yes
Anti-Virus	Yes (1)	Yes (1)	Yes (1)
Application Control	Yes	Yes	Yes
HTTPS Inspection	Yes (2)	Yes (2)	No
Identity Awareness	Yes (3)	Yes (3)	No
Threat Emulation - ThreatCloud emulation	Yes	Yes	Yes in Active/Active Bridge Mode No in Active/Standby Bridge Mode
Threat Emulation - Local emulation	Yes	Yes	No in all Bridge Modes
Threat Emulation - Remote emulation	Yes	Yes	Yes in Active/Active Bridge Mode No in Active/Standby Bridge Mode
UserCheck	Yes	Yes	No
QoS	Yes (see sk89581)	No (see sk89581)	No (see sk79700)
HTTP / HTTPS proxy	Yes	Yes	No
Security Servers - SMTP, HTTP, FTP, POP3	Yes	Yes	No
Client Authentication	Yes	Yes	No
User Authentication	Yes	Yes	No
Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss Prevention Portal, and so on)	Yes	No	No
IPsec VPN	No	No	No
Mobile Access	No	No	No

Notes:

1. Does not support the Anti-Virus in Traditional Mode.
2. HTTPS Inspection in Layer 2 works as Man-in-the-Middle, based on MAC addresses:
   • Client sends a TCP [SYN] packet to the MAC address X.
   • Security Gateway creates a TCP [SYN-ACK] packet and sends it to the MAC address X.
   • Security Gateway in Bridge Mode does not need IP addresses, because CPAS takes the routing and the MAC address from the original packet.

   Note - To be able to perform certificate validation (CRL/OCSP download), Security Gateway needs at least one interface to be assigned with an IP address. Probe bypass can have issues with Bridge Mode. Therefore, we do not recommend Probe bypass in Bridge Mode configuration.

3. Identity Awareness in Bridge Mode supports only the AD Query authentication.

For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.

Limitations in Bridge Mode

You can configure only two slave interfaces in a single Bridge interface. You can think of this Bridge interface as a two-port Layer 2 switch. Each port can be a Physical interface, a VLAN interface, or a Bond interface.

These features and deployments are not supported in Bridge Mode:

• Assigning an IP address to a Bridge interface in ClusterXL.
• NAT rules (specifically, FireWall kernel in logs shows the traffic as accepted, but Security Gateway does not actually forward it). For more information, see sk106146.
• Access to Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss Prevention Portal, and so on) from bridged networks, if the bridge does not have an assigned IP address.
• Clusters with more than two Cluster Members.
• Full High Availability Cluster.
• Asymmetric traffic inspection in ClusterXL in Active/Active Bridge Mode. (Asymmetric traffic inspection is any situation, where the Client-to-Server packet is inspected by one Cluster Member, while the Server-to-Client packet is inspected by the other Cluster Member. In such scenarios, several security features do not work.)

For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.