Configuring a DLP Gateway in Bridge Mode
Best Practice and Limitations
|
|
Best Practice - When you set up a dedicated DLP Gateway, Check Point recommends that you configure the DLP Gateway as a bridge, so that the DLP Gateway is transparent to network routing. |
You can configure DLP in bridge mode
Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology., with the requirements described in this section for routing, IP address, and VLAN trunks.
Note the current limitations:
-
In an environment with more than one bridge interface, the DLP Gateway must not see the same traffic twice on the different interfaces. The traffic must not run from one bridged segment to another.
-
Inter-bridge routing is not supported. This includes inter-VLAN routing.
-
If the bridge interface is connected to a VLAN trunk, all VLANs are scanned by DLP. You cannot keep out specific VLANs.
-
Routing from the bridge interface to a Layer3 interface, and from Layer3 interface to the bridge, is not supported. Traffic on the bridge interface must run through the bridge or be designated to the DLP Gateway.
-
From R76, the DLP Gateway in bridge mode can be in a cluster
Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., in High Availability mode. But the Ask User action and the UserCheck Agent are not supported. -
If the DLP Gateway in bridge mode is behind a cluster, the cluster must be in High Availability mode.
-
Bond High Availability (HA) or Bond Load Sharing (LS) (including Link Aggregation) are not supported in combination with bridge interfaces.
Necessary Routing in Bridge Mode
There must be routes between the DLP Gateway and the necessary servers:
-
DNS server
-
Mail server, if an SMTP Relay server is configured to work with the Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. -
Active Directory or LDAP server, if configured to work with the Security Gateway
There must be a default route. If this is not a valid route, it must reach a server that answers ARP requests.
If UserCheck is enabled, configure routing between the DLP Gateway and the network.
Configuring Bridge IP Address
The bridge interface can be configured without an IP address, if another interface is configured on the Security Gateway intended to connect to the UserCheck Client and the DLP Portal.
If you do add an IP address to the bridge interface after the Security Gateways are started, run the cpstop and cpstart commands to apply the change.
Necessary VLAN Trunk Interfaces
-
A single bridge interface must be configured to bind the DLP Gateway for a VLAN trunk.
-
If an IP address is configured on the bridge, the IP address must not belong to any of the networks going through the bridge. Users must have routes that run traffic through the bridge interface of the DLP Gateway. The Security Gateway handles this traffic and answers to the same VLAN of the original traffic.
-
In a VLAN trunk interface, another interface must be configured as the management interface for the necessary bridge routing.