Managing a Security Gateway through the Bridge Interface

Example Topology

Item

Description

1

Security Management Server

2

Router

3

Bridge interface on the Security Gateway

4

Security Gateway

5

Regular traffic interface on the Security Gateway

6

Regular traffic interface on the Security Gateway

Packet flow

  1. The Security Management Server sends a management packet to the Management Interface on the Security Gateway.

    This Management Interface is configured as Bridge interface.

  2. The Security Gateway inspects the first management packet it receives on the first subordinate interface of the Bridge interface.

  3. The Security Gateway forwards the inspected management packet to the router through the second subordinate interface of the Bridge interface.

  4. The router sends the packet to the first subordinate interface of the Bridge interface.

  5. The Security Gateway concludes that this packet is a retransmission and drops it.

Procedure

Configure the Security Gateway to reroute packets on the Bridge interface.

Set the value of the kernel parameter "fwx_bridge_reroute_enabled" to 1.

The Security Gateway makes sure that the MD5 hash of the packet that leaves the Management Interface and enters the Bridge interface is the same.

Other packets in this connection are handled by the Bridge interface without using the router.

Notes:

  • To make the change permanent (to survive reboot), you configure the value of the required kernel parameter in the configuration file.

    This change applies only after a reboot.

  • To apply the change on-the-fly (does not survive reboot), you configure the value of the required kernel parameter with the applicable command.

Step

Instructions

1

Connect to the command line on the Security Gateway.

2

Log in to the Expert mode.

3

Modify the $FWDIR/boot/modules/fwkern.conf file:

  1. Back up the current $FWDIR/boot/modules/fwkern.conf file:

    cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

    If this file does not exit, create it:

    touch $FWDIR/boot/modules/fwkern.conf

  2. Edit the current $FWDIR/boot/modules/fwkern.conf file:

    vi $FWDIR/boot/modules/fwkern.conf

  3. Add this line in the file:

    fwx_bridge_reroute_enabled=1

    Important - This configuration file does not support spaces or comments.

  4. Save the changes in the file.

  5. Exit the Vi editor.

4

Set the value of the required kernel parameter on-the-fly:

fw ctl set int fwx_bridge_reroute_enabled 1

5

Make sure the Security Gateway loaded the new configuration:

fw ctl get int fwx_bridge_reroute_enabled

The output must return

fwx_bridge_reroute_enabled = 1

6

Reboot the Security Gateway when possible.

7

After the reboot, make sure the Security Gateway loaded the new configuration:

fw ctl get int fwx_bridge_reroute_enabled

The output must return

fwx_bridge_reroute_enabled = 1