Deploying a Security Gateway or a ClusterXL in Bridge Mode

Introduction to Bridge Mode

If you cannot divide the existing network into several networks with different IP addresses, you can install a Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (or a ClusterXL) in the Bridge ModeClosed Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology..

A Security Gateway (or ClusterXL) in Bridge Mode is invisible to Layer 3 traffic.

When traffic arrives at one of the bridge subordinate interfaces, the Security Gateway (or ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members) inspects it and passes it to the second bridge subordinate interface.

Supported Software Blades in Bridge Mode

This table lists Software Blades, features, and their support for the Bridge Mode.

This table applies to single Security Gateway deployment, ClusterXL (with one switch) in Active/Active and Active/Standby deployment, and ClusterXL with four switches.

Software Blade

Support of a
Security Gateway
in Bridge Mode

Support of a
ClusterXL
in Bridge Mode

Support of VSX
Virtual Systems
in Bridge Mode

Firewall

IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).

URL FilteringClosed Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.

DLP

Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.

Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.

(1)

(1)

(1)

Application ControlClosed Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.

HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.

(2)

(2)

Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.

(3)

(3)

Threat EmulationClosed Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. - ThreatCloud emulation

Yes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode

Threat Emulation - Local emulation

No in all Bridge Modes

Threat Emulation - Remote emulation

Yes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode

Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX.

Yes in Active/Active Bridge Mode

No in Active/Standby Bridge Mode

UserCheck

QoSClosed Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency.

(see sk89581)

(see sk89581)

(see sk79700)

HTTP / HTTPS proxy

Security Servers - SMTP, HTTP, FTP, POP3

Client Authentication

User Authentication

Multi-Portal (Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Portal, Identity Awareness Captive Portal, Data Loss PreventionClosed Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. Portal, and so on)

IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access.

Mobile Access

Notes:

  1. Does not support the Anti-Virus in Traditional Mode.

  2. HTTPS Inspection in Layer 2 works as Man-in-the-Middle, based on MAC addresses:

    • Client sends a TCP [SYN] packet to the MAC address X.

    • Security Gateway creates a TCP [SYN-ACK] packet and sends it to the MAC address X.

    • Security Gateway in Bridge Mode does not need IP addresses, because CPAS takes the routing and the MAC address from the original packet.

    Note - To be able to perform certificate validation (CRL/OCSP download), Security Gateway needs at least one interface to be assigned with an IP address. Probe bypass can have issues with Bridge Mode. Therefore, we do not recommend Probe bypass in Bridge Mode configuration.

  3. Identity Awareness in Bridge Mode supports only the AD Query authentication.

Limitations in Bridge Mode

You can configure only two subordinate interfaces in a single Bridge interface. You can think of this Bridge interface as a two-port Layer 2 switch. Each port can be a Physical interface, a VLAN interface, or a Bond interface.

These features and deployments are not supported in Bridge Mode:

  • Assigning an IP address to a Bridge interface in ClusterXL.

  • NAT rules (specifically, Firewall kernel in logs shows the traffic as accepted, but Security Gateway does not actually forward it). For more information, see sk106146.

  • Access to Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss Prevention Portal, and so on) from bridged networks, if the bridge does not have an assigned IP address.

  • Clusters with more than two Cluster Members..

  • Full High Availability Cluster.

  • Asymmetric traffic inspection in ClusterXL in Active/Active Bridge Mode.

    (Asymmetric traffic inspection is any situation, where the Client-to-Server packet is inspected by one Cluster MemberClosed Security Gateway that is part of a cluster., while the Server-to-Client packet is inspected by the other Cluster Member. In such scenarios, several security features do not work.)

For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.