Bridge Mode Course #2222
What is Bridging Mode on a GTA Firewall? One IP address is shared on multiple interfaces. Firewall is transparent (Layer 2) TCP/IP Packets are filtered based on IP Pass Through Policies. Non IP protocols can be passed. However, no filtering can be done on them. Not supported with Bridge mode High availability Link Aggregation PPP DHCP IPv6 (Support is in development for IPv6)
Why use Bridging mode? Quick and easy insertion into an existing network. Little or no change required to internal hosts IP addresses or routes. Fully Transparent for TCP/IP protocols. Pass NON-IP protocols such as Apple Talk through internal interface in a bridge configuration. Passes Multicast and broadcast packets in a bridged configuration.
Network Configuration Before Firewall Insertion Web Server 199.120.220.4 All default gateways point to the router 199.120.220.1
Network Configuration After Firewall Insertion 199.120.220.254 Web Server 199.120.220.4
Firewall Bridged Configuration 2-3 Step Configuration Configure the Network information and set up Bridged interface - [Configure -> Network -> Interfaces -> Settings] Configure Security Policies [Configure -> Security Policies -> Policy Editor -> Pass Through] Configure Bridge Protocols in [Configure -> Network -> Pass Through -> Bridged Protocols] (Optional)
[Configure -> Network -> Interfaces -> Settings] Select the type of interface Bridged Configure the IP address to be shared. Interfaces The Interfaces in index one is the primary IP address. Index 2 and subsequent interfaces are bridged to the primary interface. Zone is the interfaces type: EXTERNAL, PROTECTED, PSN NIC Click the Plus or Minus to add additional interfaces.
Display Network Interface Settings will display Interfaces Names, Type Bridge and the Zones, IP Address, NIC s. System over view will display the Interface Name IP addresses, NIC and Speed.
Pass Through - [Security Policies -> Policy Editor -> Pass Through] Example policy to the left allows all IP protocols outbound on the Protected- Bridge Interface. Example policy to the right allows only inbound http access. The packet must arrive on the EXTERNAL interface destined for the web server IP address on port 80 for http.
Example of Bridge Connections Passing Through Firewall Note there is no Network Address Translation
Bridging Non-IP Protocols Q - What is Bridge Protocols? A - NON-TCP/IP Protocols that one wishes to pass through the firewall. Example: Apple Talk or Apple ARP. WARNING NO FILTERING is performed on NON-IP protocols. This section allows administrator to pass the protocol if needed. Care should be exercised in allowing these protocols to pass through the firewall.
Bridging Non-IP Protocols continued Example of an allowed protocol log message Apr 12 09:51:48 pri=3 msg="bridged protocol type 0x42 allowed (00:08:83:08:82:2a->01:80:c2:00:00:00)" Example of a denied protocol log message Apr 12 09:51:47 pri=3 msg="bridged protocol type 0x2000 denied (00:0d:9d:7a:d6:bf->01:00:0c:cc:cc:cc)"
Bridging Non-IP Protocols continued Ok so how do we find out what protocol type 809b is in our log? A little research is required. A useful resource is http:// www.iana.org/assignments/ethernet-numbers This is a list of Ethernet types. Searching this site will reveal that 809b is Apple Talk.
Bridging Non-IP Protocols continued How do we find out what protocol type 0x42 is in our log? It does not show up on the IANA web site. In this case you have to do a little more work. 0x42 is Spanning tree protocol used by HP and other brand switches. Some of this is covered in the documentation for the switch.
Bridging Non-IP Protocols continued In other cases testing is required. By turning on logging of unexpected packets you can log all protocol types hitting the firewall. Looking for the denied protocol types in the syslog and then defining them in the bridge protocol section will allow the protocol through. Apr 12 10:39:56 pri=3 msg="bridged protocol type 0x42 denied (00:08:83:08:82:2a->01:80:c2:00:00:00)"
Loops Physical network lay out Each bridged interfaces MUST be physically separate. The physical configuration below will cause a loop to occur.
Bridge vs. IP Pass Through Pass Through each interface must be on a logically different network. EXTERNAL 199.120.225.1/25 Protected 199.120.225.254/25 Bridge one network/ip addresses is shared on many interfaces EXTERNAL 199.120.225.1/24 Protected-Bridge Use Same IP
References Protocol Numbers - http://www.iana.org/assignments/ ethernet-numbers GTA Online Documentation - http://www.gta.com/ support/documents http://en.wikipedia.org/wiki/data_link_layer
If you require additional assistance or have additional questions please contact GTA Technical Support. Customer Email: support @gta.com Support Line Phone: 1.407.482.6925 Normal Hours 0830-1900 EST U.S. Free User Support http://forum.gta.com 6/23/14 Global Technology Associates, Inc.