Configuring Bridge Mode without IP address on Gaia OS in VMware

By Arun Kumar S in Check Point
454 Views
0 Comments

Introduction to Bridge Mode

Bridge Interfaces

Bridge interfaces connect two different interfaces (bridge ports). Bridging two interfaces causes every Ethernet frame that is received on one bridge port to be transmitted to the other port. Thus, the two bridge ports participate in the same Broadcast domain (which is different from router ports behaviour).

Only two interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a physical, VLAN, or bond device.

Bridge interfaces can be configured on Check Point Security Gateway, and can be used for different deployments. The Firewall inspects every Ethernet frame that passes through the bridge.

Supported Software Blades: Gateway and Virtual Systems

These Software Blades support bridge mode (unless stated they do not) for single Security Gateway deployment, cluster with one switch in Active/Active and Active/Standby deployment, and cluster with four switches.

Supported Blade

Supports Gateways in Bridge Mode

Supports Virtual Systems in Bridge Mode

Firewall

Yes

Yes

IPS

Yes

Yes

URL Filtering

Yes

Yes

DLP

Yes

No

Anti-Bot and Anti-Virus

Yes

Yes

Application Control

Yes

Yes

HTTPS Inspection

Yes

No

Identity Awareness

Yes

No

Threat Emulation

Yes

Yes

QoS

Yes

No

Client Authentication

No

No

User Authentication

No

No

Supported Software Blades: Management

Bridge-mode for a Security Management Server is supported only for Standalone configurations, and it supports all management Software Blades.

Unsupported for Bridge Mode

These features, Software Blades and deployments are not supported in Bridge Mode:

  • Mobile Access Software Blade
  • IPsec VPN Software Blade
  • Full High Availability deployment
  • NAT on Gateways
  • Access to Portals from bridged networks, if the bridge does not have an assigned IP address
  • Anti-Virus Traditional Mode
  • Identity Awareness authentication other than AD Query (AD Query is the only supported authentication)

Topology:

VMnet configuration:

The following is configured on VMware Network Adapters.

  • vmnet4(Host-Only) – 10.0.0.0/24
  • vmnet2(Host-Only) – 172.16.0.0/24
  • Bridge Network – 192.168.1.0/24

Connection:

  • Windows Host and eth0 of vyatta 1 are connected to vmnet1
  • eth1 of vyatta 1 and eth2 of Check Point are connected to VMware LAN Segment 1
  • eth1 of CP and eth0 of vyatta 2 are connected to VMware LAN Segment 2
  • eth0 of CP is connected as management interface
  • eth1 of vyatta 2 is connected to VMware Bridge network


IP Addresses of LAB:

Check Point:

  • eth0 – Management interface 192.168.2.100
  • eth1 and eth2 no IP

Vyatta1:

  • eth0 – 172.16.0.10
  • eth1 – 10.0.0.10
  • gw – 10.0.0.20

Vyatta2:

  • eth0 – 10.0.0.20
  • eth1 – 192.168.1.20
  • gw – 192.168.1.2

Windows Host:

  • 172.16.0.25


Where to configure LAN Segment?

Prerequisites for performing this document:

  • Freshly installed Check Point Standalone with only Management interface IP address configured (Do not configure Default route)
  • Freshly installed vyatta1 and vyatta2

Check Point Configuration:

    A. Configuring Bridge interfaces on Check Point:

  1. Connect over WebUI and navigate to Network Management > Network Interfaces
  2. Click on Add and then select Bridge
  3. Add eth1 and eth2 to Chosen Interfaces and click on OK
  4. The newly created Bridge interface is now visible over the Network Interfaces page

B. Fetching the Interfaces over GUI Topology

  1. Login to SmartConsole GUI
  2. Open the Standalone object and select Topology
  3. Select Get.. and Interfaces with Topology…
  4. Accept the changes to update the fetched topology
  5. Change the topology of eth1 to External
  6. Save and Install Policy with required policies in place. In this Lab, we will use Any-Any-Accept policy.
  7. After configuring Vyatta, test ICMP between Vyatta1 and Vyatta2 to ensure connectivity.


Required NAT Configuration on Routers:

Considering Masquerade behind the outbound interface, the following NAT is required. (For Outbound Static NAT, the same flow holds good. Only requirement would be to configure required P-Arp)

Internet — {Network 192.168.1.0/24} [Vyatta2] (10.0.0.20) — [Security Gateway in Bridge mode] — (10.0.0.10) [Vyatta1] {172.16.0.0/24 Network}

Where (in the order from right to left):

  • Network 172.16.0.0/24 is behind Vyatta1
  • Network 10.0.0.0/24 is between router Vyatta1 (10.0.0.10) and Vyatta2 (10.0.0.20), on which Security Gateway in Bridge mode is installed
  • Network 192.168.1.0/24 is behind Vyatta2
  • Route configured on router Vyatta1 is:

    Destination: default — Next hop: 10.0.0.20 (Vyatta2)
  • Route configured on router Vyatta2 is:

    Destination: default — Next hop: 192.168.1.2 (Internet Hop)

Desired NAT:

Network 172.16.0.0/24 should be hidden behind IP 10.0.0.10 on Vyatta1 and Network 10.0.0.0/24 should be hidden behind IP 192.168.1.20 on Vyatta2:

{172.16.0.0/24 – NAT behind 10.0.0.10} [Vyatta1] (10.0.0.10) — [GW in Bridge mode] — {10.0.0.0/24 – NAT behind 192.168.1.10} [Vyatta2] {192.168.1.10/24} — Internet

Flow of events:

  1. Packets from network 172.16.0.0/24 with NATed source IP 10.0.0.10 will arrive from Vyatta1 to Vyatta2
  2. Vyatta2 will NAT network 10.0.0.0/24 behind source IP 192.168.1.10 and will route these packets to network 192.168.1.0/24
  3. The Network 192.168.1.0/24 will be NATed by VMware behind IP 192.168.1.2 to reach internet and reply packets reaching physical host will be sent to VMnet network 192.168.1.0/24
  4. Reply packets from network 192.168.1.0/24 will return to Vyatta2
  5. Vyatta2 will send the traffic to Vyatta1 and the reply packets reach the source based on connection table

Vyatta1 Interface and NAT configuration:

vyos@vyatta1# set interfaces ethernet eth0 address 172.16.0.10/24

vyos@vyatta1# set interfaces ethernet eth1 address 10.0.0.10/24

vyos@vyatta1# set system gateway-address 10.0.0.20

vyos@vyatta1# set nat source rule 1

vyos@vyatta1# set nat source rule 1 source address 172.16.0.0/24

vyos@vyatta1# set nat source rule 1 translation address masquerade

vyos@vyatta1# set nat source rule 1 outbound-interface eth1

vyos@vyatta1# commit; save

Vyatta2 Interface and NAT configuration:

vyos@vyatta2# set interface ethernet eth1 address 192.168.1.20/24

vyos@vyatta2# set interface ethernet eth0 address 10.0.0.20/24

vyos@vyatta2# set system gateway-address 192.168.1.2

vyos@vyatta2# set nat source rule 1

vyos@vyatta2# set nat source rule 1 source address 10.0.0.0/24

vyos@vyatta2# set nat source rule 1 translation address masquerade

vyos@vyatta2# set nat source rule 1 outbound-interface eth1

vyos@vyatta2# commit; save

The supported blades/features can be enabled or tested as per the requirement.

Screenshots of traffic logs:

Any-Any-Accept FW rule:

Drop for Destination 8.8.8.8 rule:

For any further information please write in the comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Take a sneak-peek into our minds.

Read our musings on what’s changing and impacting the world in the field of cyber security and analytics.

Subscribe our Newsletter and recieve updates directly to your inbox

We don't spam!

Big News 🙂 - FWHealth (Firewall Health Reporting Tool) is now 100% Free, Forever.Know More
+