Deploying a Security Group in Bridge Mode

Introduction to Bridge Mode

If it is not possible divide the existing network into several networks with different IP addresses, you can configure a Security Group A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. in the Bridge Mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology..

A Security Group in Bridge Mode is invisible to Layer 3 traffic.

When traffic arrives at one of the bridge slave interfaces, the Security Group inspects it and passes it to the second bridge slave interface.

Example Topology for Bridge Mode

Item	Description
1	Network, which an administrator needs to divide into two Layer 2 segments. The Security Group in Bridge Mode connects between these segments.
2	First network segment.
3	Switch that connects the first network segment to one bridged slave interface (4) on the Security Group in Bridge Mode.
4	One bridged slave interface (for example, `eth1-05`) on the Security Group in Bridge Mode.
5	Security Group in Bridge Mode.
6	Another bridged slave interface (for example, `eth1-07`) on the Security Group in Bridge Mode.
7	Dedicated Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Management Interface (1) Interface on a Gaia Security Gateway or Cluster member, through which Management Server connects to the Security Gateway or Cluster member. (2) Interface on Gaia computer, through which users connect to Gaia Portal or CLI. (for example, `eth1-Mgmt1`) on the Security Group.
8	Switch that connects the second network segment to the other bridged slave interface (6) on the Security Group in Bridge Mode.
9	Second network segment.

Supported Software Blades in Monitor Mode

This table lists Software Blades, features, and their support for the Bridge Mode.

Software Blade or Feature	Support of a Security Gateway in Bridge Mode	Support of VSX Virtual Systems in Bridge Mode
Firewall	Yes	Yes
IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access.	No	No
IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).	Yes	Yes
URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.	Yes	Yes
DLP	Yes	No
Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.	Yes	Yes
Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.	Yes ⁽¹⁾	Yes ⁽¹⁾
Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI.	Yes	Yes
HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi.	Yes ⁽²⁾	No
Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA.	Yes ⁽³⁾	No
Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. - ThreatCloud emulation	Yes	Yes in Active/Active Bridge Mode No in Active/Standby Bridge Mode
Threat Emulation - Local emulation	Yes	No in all Bridge Modes
Threat Emulation - Remote emulation	Yes	Yes in Active/Active Bridge Mode No in Active/Standby Bridge Mode
Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB.	No	No
UserCheck	Yes	No
Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP. Portal, and so on)	Yes	No
QoS Check Point Software Blade on a Security Gateway that provides policy-based traffic bandwidth management to prioritize business-critical traffic and guarantee bandwidth and control latency.	Yes (see sk89581)	No (see sk79700)
HTTP / HTTPS proxy	Yes	No
Security Servers - SMTP, HTTP, FTP, POP3	Yes	No
Client Authentication	Yes	No
User Authentication	Yes	No

Notes:

Does not support the Anti-Virus in Traditional Mode.
HTTPS Inspection in Layer 2 works as Man-in-the-Middle, based on MAC addresses:
- Client sends a TCP [SYN] packet to the MAC address X.
- Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. creates a TCP [SYN-ACK] packet and sends it to the MAC address X.
- Security Gateway in Bridge Mode does not need IP addresses, because CPAS takes the routing and the MAC address from the original packet.
Note - To be able to perform certificate validation (CRL/OCSP download), Security Gateway needs at least one interface to be assigned with an IP address. Probe bypass can have issues with Bridge Mode. Therefore, we do not recommend Probe bypass in Bridge Mode configuration.
Identity Awareness in Bridge Mode supports only the AD Query authentication.

Limitations in Bridge Mode

You can configure only two slave interfaces in one Bridge interface. You can think of this Bridge interface as a two-port Layer 2 switch. Each port can be a Physical interface, a VLAN interface, or a Bond interface.

These features and deployments are not supported in Bridge Mode:

NAT rules (specifically, Firewall kernel in logs shows the traffic as accepted, but Security Gateway does not actually forward it). For more information, see sk106146.
Access to Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, Data Loss Prevention Portal, and so on) from bridged networks, if the bridge does not have an assigned IP address.

For more information, see sk101371: Bridge Mode on Gaia OS and SecurePlatform OS.