Managing a Security Gateway through the Bridge Interface

Example topology:

Item	Description
1	Security Management Server
2	Router
3	Bridge interface on the Security Gateway
4	Security Gateway
5	Regular traffic interface on the Security Gateway
6	Regular traffic interface on the Security Gateway

Packet flow:

The Security Management Server sends a management packet to the Management Interface on the Security Gateway. This Management Interface is configured as Bridge interface.
The Security Gateway inspects the first management packet it receives on the first slave of the Bridge interface.
The Security Gateway forwards the inspected management packet to the router through the second slave of the Bridge interface.
The router sends the packet to the first slave of the Bridge interface.
The Security Gateway concludes that this packet is a retransmission and drops it.

Procedure for Security Gateways R80.10 and Above

Configure the Security Gateway to reroute packets on the Bridge interface. Set the value of the kernel parameter fwx_bridge_reroute_enabled to 1. The Security Gateway makes sure that the MD5 hash of the packet that leaves the Management Interface and enters the Bridge interface is the same. Other packets in this connection are handled by the Bridge interface without using the router.

Notes:

To make the change permanent (to survive reboot), you configure the value of the required kernel parameter in the configuration file. This change applies only after a reboot.
To apply the change on-the-fly (does not survive reboot), you configure the value of the required kernel parameter with the applicable command.

Procedure:

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Expert mode.
3	Modify the `$FWDIR/boot/modules/fwkern.conf` file.
3A	Back up the current `$FWDIR/boot/modules/fwkern.conf` file: `# cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}` Important - If this file does not exit, create it. Run: `# touch $FWDIR/boot/modules/fwkern.conf`
3B	Edit the current `$FWDIR/boot/modules/fwkern.conf` file: `# vi $FWDIR/boot/modules/fwkern.conf`
3C	Add this line in the file: `fwx_bridge_reroute_enabled=1` Important - This configuration file does not support spaces or comments.
3D	Save the changes in the file.
3E	exit the Vi editor.
4	Set the value of the required kernel parameter on-the-fly: `# fw ctl set int fwx_bridge_reroute_enabled 1`
5	Make sure the Security Gateway loaded the new configuration: `# fw ctl get int fwx_bridge_reroute_enabled`
6	Reboot the Security Gateway when possible. After reboot, make sure the Security Gateway loaded the new configuration: `# fw ctl get int fwx_bridge_reroute_enabled`