Bridge Interfaces

Configure interfaces as a bridge to deploy security devices in a topology without reconfiguration of the IP routing scheme. This is an important advantage for large-scale, complex environments.

Bridge interfaces connect two different interfaces (bridge ports). Bridging two interfaces causes every Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge ports participate in the same Broadcast domain (different from router port behavior). The security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. inspects every Ethernet frame that passes through the bridge.

Important - Only two interfaces can be connected by one Bridge interface, creating a virtual two-port switch. Each port can be a physical, VLAN, or bond device.

It is possible to configure bridge modeClosed Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology. with one Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., or a Scalable Platform Security Group. The bridge functions without an assigned IP address. Bridged Ethernet interfaces (including aggregated interfaces) to work like ports on a physical bridge. It is possible to configure the topology for the bridge ports in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. A separate network or group object represents the networks or subnets that connect to each port.

Notes:

  • The name of a Bridge interface in GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. is "br<Bridge Group ID>".

    For example, the name of a bridge interface with a Bridge Group ID of 5 is "br5".

  • Gaia OS supports bridge interfaces that implement native, Layer 2 bridging.

  • Gaia OS does not support Spanning Tree Protocol (STP) bridges.

  • A subordinate interface that is a part of a bond interface cannot be a part of a bridge interface.

  • For UserCheck to work properly, bridge group must use an IP address on the same subnet as clients or routers that connect to a Security Gateway, Cluster, or Security Group.

  • Scalable Chassis 60000 / 40000 do not generate BPDU (STP) frames.

  • Scalable Chassis 60000 / 40000 forward BPDU (STP) packets between subordinate interfaces of the bridge.

  • To configure MTU on a Bridge subordinate interface, you must configure MTU on the Bridge interface.

    This MTU applies to all subordinate interfaces assigned to this Bridge interface.

The bridge interfaces send traffic with Layer 2 addressing. On the same device, you can configure some interfaces as bridge interfaces, while other interfaces work as Layer 3 interfaces. Traffic between bridge interfaces is inspected at Layer 2. Traffic between two Layer 3 interfaces, or between a bridge interface and a Layer 3 interface is inspected at Layer 3.