Bridge Mode

Bridge mode is a feature that allows you to install your Firebox between an existing network and its gateway to filter or manage network traffic. When you enable this feature, your Firebox processes and forwards all network traffic to other gateway devices. When the traffic arrives at a gateway from the Firebox, it appears to have been sent from the original device.

To use bridge mode, you must specify an IP address that is used to manage your Firebox. The device also uses this IP address to receive security services signature updates and to route traffic to internal DNS, NTP, or WebBlocker servers. Because of this, make sure you assign an IP address that has a route to the Internet.

When you use bridge mode, your Firebox cannot complete some functions that require the device to operate as a gateway. These functions include:

  • Multi-WAN
  • VLANs (Virtual Local Area Networks)
  • Network bridges
  • Link aggregation
  • Static routes
  • FireCluster
  • Secondary networks
  • DHCP server or DHCP relay
  • Modem failover
  • 1-to-1, dynamic, or static NAT
  • Dynamic routing (OSPF, BGP, or RIP)
  • Any type of VPN for which the Firebox is an endpoint or gateway
  • Some proxy functions, including HTTP Web Cache Server
  • Authentication automatic redirect
  • Management of an AP device by the Gateway Wireless Controller
  • Mobile Security
  • Network Discovery

If you have previously configured these features or services, they are disabled when you switch to bridge mode. To use these features or services again, you must use a different network mode. If you return to drop-in or mixed routing mode, you might have to configure some features again.

When you enable Bridge Mode, the Firebox automatically adds a Related Hosts entry for the default gateway configured on interface 0. If the default gateway IP address resides on a different interface, you must change the Related Hosts entry to the correct interface.

To learn more, see Configure Related Hosts.

When you enable bridge mode, any interfaces with a previously configured network bridge or VLAN are disabled. To use those interfaces, you must first change to either drop-in or mixed routing mode, and configure the interface as External, Optional, or Trusted, then return to bridge mode. Wireless features on a wireless Firebox operate correctly in bridge mode.

The LCD display of an XTM device in bridge mode shows the IP address of the bridged interfaces as 0.0.0.0. This is expected behavior.

To use a network bridge on a FireboxV or XTMv virtual machine on ESXi, you must enable promiscuous mode on the attached virtual switch (vSwitch) in VMware. You cannot use a network bridge on an FireboxV or XTMv virtual machine on Hyper-V, because Hyper-V virtual switches do not support promiscuous mode.

Enable Bridge Mode

Allow Management Access from a VLAN

When you configure a Firebox in bridge mode, you cannot configure VLANs on the Firebox. But the Firebox can pass VLAN tagged traffic between 802.1Q bridges or switches. You can optionally configure the Firebox to be managed from a VLAN that has a specified VLAN tag.

To enable management from a VLAN for a device in bridge mode, from Fireware Web UI:

  1. Select Network > Interfaces.
    The Network Interfaces page appears.
  2. Select the Allow VLAN tag for management access check box.
  3. Type or select the VLAN ID you want to allow to connect to the device for management access.

To enable management from a VLAN for a device in bridge mode, from Policy Manager:

  1. Click Network Configuration.
    Or, select Network > Configuration.
    The Network Configuration window appears.
  2. Select the Allow VLAN tag for management access check box.
  3. Type or select the VLAN ID you want to allow to connect to the device for management access.

See Also

About LAN Bridges

Drop-In Mode

Give Us Feedback     Get Support     All Product Documentation     Technical Search