In This Section: |
If you cannot divide the existing network into several networks with different IP addresses, you can install a Check Point Security Gateway (or a ClusterXL) in the Bridge Mode. A Security Gateway (or ClusterXL) in Bridge Mode is invisible to Layer 3 traffic. When traffic arrives at one of the bridge slave interfaces, the Security Gateway (or Cluster Members) inspects it and passes it to the second bridge slave interface.
This table lists Software Blades, features, and their support for the Bridge Mode. This table applies to single Security Gateway deployment, ClusterXL (with one switch) in Active/Active and Active/Standby deployment, and ClusterXL with four switches.
Software Blade |
Support of a |
Support of a |
Support of VSX Virtual Systems |
---|---|---|---|
Firewall |
Yes |
Yes |
Yes |
IPS |
Yes |
Yes |
Yes |
URL Filtering |
Yes |
Yes |
Yes |
DLP |
Yes |
Yes |
No |
Anti-Bot |
Yes |
Yes |
Yes |
Anti-Virus |
Yes (1) |
Yes (1) |
Yes (1) |
Application Control |
Yes |
Yes |
Yes |
HTTPS Inspection |
Yes (2) |
Yes (2) |
No |
Identity Awareness |
Yes (3) |
Yes (3) |
No |
Threat Emulation - ThreatCloud emulation |
Yes |
Yes |
Yes in Active/Active Bridge Mode No in Active/Standby Bridge Mode |
Threat Emulation - Local emulation |
Yes |
Yes |
No in all Bridge Modes |
Threat Emulation - Remote emulation |
Yes |
Yes |
Yes in Active/Active Bridge Mode No in Active/Standby Bridge Mode |
UserCheck |
Yes |
Yes |
No |
QoS |
Yes (see sk89581) |
No (see sk89581) |
No (see sk79700) |
HTTP / HTTPS proxy |
Yes |
Yes |
No |
Security Servers - SMTP, HTTP, FTP, POP3 |
Yes |
Yes |
No |
Client Authentication |
Yes |
Yes |
No |
User Authentication |
Yes |
Yes |
No |
Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss Prevention Portal, and so on) |
Yes |
No |
No |
IPsec VPN |
No |
No |
No |
Mobile Access |
No |
No |
No |
Notes:
Note - To be able to perform certificate validation (CRL/OCSP download), Security Gateway needs at least one interface to be assigned with an IP address. Probe bypass can have issues with Bridge Mode. Therefore, we do not recommend Probe bypass in Bridge Mode configuration.
For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.
You can configure only two slave interfaces in a single Bridge interface. You can think of this Bridge interface as a two-port Layer 2 switch. Each port can be a Physical interface, a VLAN interface, or a Bond interface.
These features and deployments are not supported in Bridge Mode:
For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.