New India’s most advanced hyper-realistic security training lab is live now. Visit PurpleSynapz for more information.

Configuring Bridge Mode without IP address on Gaia OS in VMware

Avatar By Arun Kumar S in Check Point

Introduction to Bridge Mode

Bridge Interfaces

Bridge interfaces connect two different interfaces (bridge ports). Bridging two interfaces causes every Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge ports participate in the same Broadcast domain (which is different from router ports behaviour).

Only two interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a physical, VLAN, or bond device.

Bridge interfaces can be configured on Check Point Security Gateway, and can be used for different deployments. The Firewall inspects every Ethernet frame that passes through the bridge.

Supported Software Blades: Gateway and Virtual Systems

These Software Blades support bridge mode (unless stated they do not) for single Security Gateway deployment, cluster with one switch in Active/Active and Active/Standby deployment, and cluster with four switches.

Supported Blade

Supports Gateways in Bridge Mode

Supports Virtual Systems in Bridge Mode







URL Filtering






Anti-Bot and Anti-Virus



Application Control



HTTPS Inspection



Identity Awareness



Threat Emulation






Client Authentication



User Authentication



Supported Software Blades: Management

Bridge-mode for a Security Management Server is supported only for Standalone configurations, and it supports all management Software Blades.

Unsupported for Bridge Mode

These features, Software Blades and deployments are not supported in Bridge Mode:

  • Mobile Access Software Blade
  • IPsec VPN Software Blade
  • Full High Availability deployment
  • NAT on Gateways
  • Access to Portals from bridged networks, if the bridge does not have an assigned IP address
  • Anti-Virus Traditional Mode
  • Identity Awareness authentication other than AD Query (AD Query is the only supported authentication)


VMnet configuration:

The following is configured on VMware Network Adapters.

  • vmnet4(Host-Only) –
  • vmnet2(Host-Only) –
  • Bridge Network –


  • Windows Host and eth0 of vyatta 1 are connected to vmnet1
  • eth1 of vyatta 1 and eth2 of Check Point are connected to VMware LAN Segment 1
  • eth1 of CP and eth0 of vyatta 2 are connected to VMware LAN Segment 2
  • eth0 of CP is connected as management interface
  • eth1 of vyatta 2 is connected to VMware Bridge network

IP Addresses of LAB:

Check Point:

  • eth0 – Management interface
  • eth1 and eth2 no IP


  • eth0 –
  • eth1 –
  • gw –


  • eth0 –
  • eth1 –
  • gw –

Windows Host:


Where to configure LAN Segment?

Prerequisites for performing this document:

  • Freshly installed Check Point Standalone with only Management interface IP address configured (Do not configure Default route)
  • Freshly installed vyatta1 and vyatta2

Check Point Configuration:

    A. Configuring Bridge interfaces on Check Point:

  1. Connect over WebUI and navigate to Network Management > Network Interfaces
  2. Click on Add and then select Bridge
  3. Add eth1 and eth2 to Chosen Interfaces and click on OK
  4. The newly created Bridge interface is now visible over the Network Interfaces page

B. Fetching the Interfaces over GUI Topology

  1. Login to SmartConsole GUI
  2. Open the Standalone object and select Topology
  3. Select Get.. and Interfaces with Topology…
  4. Accept the changes to update the fetched topology
  5. Change the topology of eth1 to External
  6. Save and Install Policy with required policies in place. In this Lab, we will use Any-Any-Accept policy.
  7. After configuring Vyatta, test ICMP between Vyatta1 and Vyatta2 to ensure connectivity.

Required NAT Configuration on Routers:

Considering Masquerade behind the outbound interface, the following NAT is required. (For Outbound Static NAT, the same flow holds good. Only requirement would be to configure required P-Arp)

Internet — {Network} [Vyatta2] ( — [Security Gateway in Bridge mode] — ( [Vyatta1] { Network}

Where (in the order from right to left):

  • Network is behind Vyatta1
  • Network is between router Vyatta1 ( and Vyatta2 (, on which Security Gateway in Bridge mode is installed
  • Network is behind Vyatta2
  • Route configured on router Vyatta1 is:

    Destination: default — Next hop: (Vyatta2)
  • Route configured on router Vyatta2 is:

    Destination: default — Next hop: (Internet Hop)

Desired NAT:

Network should be hidden behind IP on Vyatta1 and Network should be hidden behind IP on Vyatta2:

{ – NAT behind} [Vyatta1] ( — [GW in Bridge mode] — { – NAT behind} [Vyatta2] {} — Internet

Flow of events:

  1. Packets from network with NATed source IP will arrive from Vyatta1 to Vyatta2
  2. Vyatta2 will NAT network behind source IP and will route these packets to network
  3. The Network will be NATed by VMware behind IP to reach internet and reply packets reaching physical host will be sent to VMnet network
  4. Reply packets from network will return to Vyatta2
  5. Vyatta2 will send the traffic to Vyatta1 and the reply packets reach the source based on connection table

Vyatta1 Interface and NAT configuration:

vyos@vyatta1# set interfaces ethernet eth0 address

vyos@vyatta1# set interfaces ethernet eth1 address

vyos@vyatta1# set system gateway-address

vyos@vyatta1# set nat source rule 1

vyos@vyatta1# set nat source rule 1 source address

vyos@vyatta1# set nat source rule 1 translation address masquerade

vyos@vyatta1# set nat source rule 1 outbound-interface eth1

vyos@vyatta1# commit; save

Vyatta2 Interface and NAT configuration:

vyos@vyatta2# set interface ethernet eth1 address

vyos@vyatta2# set interface ethernet eth0 address

vyos@vyatta2# set system gateway-address

vyos@vyatta2# set nat source rule 1

vyos@vyatta2# set nat source rule 1 source address

vyos@vyatta2# set nat source rule 1 translation address masquerade

vyos@vyatta2# set nat source rule 1 outbound-interface eth1

vyos@vyatta2# commit; save

The supported blades/features can be enabled or tested as per the requirement.

Screenshots of traffic logs:

Any-Any-Accept FW rule:

Drop for Destination rule:

For any further information please write in the comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Take a sneak-peek into our minds.

Read our musings on what’s changing and impacting the world in the field of cyber security and analytics.

Subscribe our Newsletter and recieve updates directly to your inbox

We don't spam!