https://community.checkpoint.com/t5/Firewall-and-Security-Management/L3-mode-and-bridge-mode-in-ha-configuration/m-p/59424#M4506 <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk101371&amp;partition=Advanced&amp;product=Security" target="_blank" rel="noopener">sk101371 - Bridge Mode on Gaia OS and SecurePlatform OS</A></P><P>This sk lists everything related to bridge mode.</P><P>Example:</P><P><SPAN>Bridge mode is&nbsp;</SPAN><STRONG>fully supported</STRONG><SPAN>&nbsp;(unless stated otherwise) on Gaia / SecurePlatform OS by the following blades for single Security Gateway deployment, for cluster with one switch in Active/Active and Active/Standby deployment, and for cluster with four switches:</SPAN></P><P>&nbsp;</P><P><SPAN>Or:</SPAN></P><P>Limitations</P><P>Only<SPAN>&nbsp;</SPAN><STRONG>two</STRONG><SPAN>&nbsp;</SPAN>interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a Physical, a VLAN, or a Bond device.</P><P>These features, Software Blades and deployments are<SPAN>&nbsp;</SPAN><EM><STRONG>not</STRONG></EM><SPAN>&nbsp;</SPAN>supported in Bridge Mode:</P><UL><LI>IPSec VPN Software Blade</LI><LI>Mobile Access Software Blade</LI><LI>"Full High Availability" deployment (where both ClusterXL members are also configured in Management HA)</LI><LI>NAT rules on Security Gateways (specifically, the traffic will be displayed as accepted by the FireWall kernel in logs, but will not actually depart on the other side, which may give the false impression that it is working).<BR />Refer to<SPAN>&nbsp;</SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106146" target="_blank" rel="noopener">sk106146 - Configuration required on routers to allow NATed traffic to pass through Security Gateway in Bridge mode</A>.</LI><LI>Access to Portals from bridged networks, if the bridge does not have an assigned IP address</LI><LI>Anti-Virus in Traditional Mode</LI><LI>Identity Awareness authentication other than AD Query (AD Query is the only supported authentication)</LI><LI>Assigning an IP address on Bridge interface in ClusterXL (any version)</LI><LI>ClusterXL in R75.40 and lower / R75.45 / R75.46 / R75.47</LI><LI>Asymmetric traffic inspection on Layer 2 Active/Active cluster deployment is not supported (asymmetric traffic inspection is any situation, where the Client-to-Server packet is inspected by one cluster member, while the Server-to-Client packet is inspected by the other member. In such scenarios several security features will not work)</LI></UL> Thu, 01 Aug 2019 08:37:15 GMT Norbert_Bohusch 2019-08-01T08:37:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/L3-mode-and-bridge-mode-in-ha-configuration/m-p/29968#M2385 <HTML><HEAD></HEAD><BODY><DIV><DIV>Hi mates~!</DIV></DIV><DIV><DIV><DIV><BR />The check point&nbsp;can&nbsp;operate L3 mode and bridge mode in&nbsp;HA&nbsp;configuration?&nbsp;</DIV><DIV> </DIV><DIV>I know&nbsp;It can operate&nbsp;L3 mode and bridge mode&nbsp;in standalone mode.</DIV><DIV>But I think it is impossible in HA.</DIV><DIV> </DIV><DIV>Please give me your advice.</DIV><DIV> </DIV><DIV> </DIV><DIV> </DIV></DIV></DIV></BODY></HTML> Thu, 27 Sep 2018 02:35:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/L3-mode-and-bridge-mode-in-ha-configuration/m-p/29968#M2385 TAEKBOM_Kim 2018-09-27T02:35:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/L3-mode-and-bridge-mode-in-ha-configuration/m-p/59304#M4497 <P>i got the same question, any answer for this?&nbsp;</P><P>&nbsp;</P> Wed, 31 Jul 2019 06:05:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/L3-mode-and-bridge-mode-in-ha-configuration/m-p/59304#M4497 darrenkohcc 2019-07-31T06:05:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/L3-mode-and-bridge-mode-in-ha-configuration/m-p/59424#M4506 <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk101371&amp;partition=Advanced&amp;product=Security" target="_blank" rel="noopener">sk101371 - Bridge Mode on Gaia OS and SecurePlatform OS</A></P><P>This sk lists everything related to bridge mode.</P><P>Example:</P><P><SPAN>Bridge mode is&nbsp;</SPAN><STRONG>fully supported</STRONG><SPAN>&nbsp;(unless stated otherwise) on Gaia / SecurePlatform OS by the following blades for single Security Gateway deployment, for cluster with one switch in Active/Active and Active/Standby deployment, and for cluster with four switches:</SPAN></P><P>&nbsp;</P><P><SPAN>Or:</SPAN></P><P>Limitations</P><P>Only<SPAN>&nbsp;</SPAN><STRONG>two</STRONG><SPAN>&nbsp;</SPAN>interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a Physical, a VLAN, or a Bond device.</P><P>These features, Software Blades and deployments are<SPAN>&nbsp;</SPAN><EM><STRONG>not</STRONG></EM><SPAN>&nbsp;</SPAN>supported in Bridge Mode:</P><UL><LI>IPSec VPN Software Blade</LI><LI>Mobile Access Software Blade</LI><LI>"Full High Availability" deployment (where both ClusterXL members are also configured in Management HA)</LI><LI>NAT rules on Security Gateways (specifically, the traffic will be displayed as accepted by the FireWall kernel in logs, but will not actually depart on the other side, which may give the false impression that it is working).<BR />Refer to<SPAN>&nbsp;</SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk106146" target="_blank" rel="noopener">sk106146 - Configuration required on routers to allow NATed traffic to pass through Security Gateway in Bridge mode</A>.</LI><LI>Access to Portals from bridged networks, if the bridge does not have an assigned IP address</LI><LI>Anti-Virus in Traditional Mode</LI><LI>Identity Awareness authentication other than AD Query (AD Query is the only supported authentication)</LI><LI>Assigning an IP address on Bridge interface in ClusterXL (any version)</LI><LI>ClusterXL in R75.40 and lower / R75.45 / R75.46 / R75.47</LI><LI>Asymmetric traffic inspection on Layer 2 Active/Active cluster deployment is not supported (asymmetric traffic inspection is any situation, where the Client-to-Server packet is inspected by one cluster member, while the Server-to-Client packet is inspected by the other member. In such scenarios several security features will not work)</LI></UL> Thu, 01 Aug 2019 08:37:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/L3-mode-and-bridge-mode-in-ha-configuration/m-p/59424#M4506 Norbert_Bohusch 2019-08-01T08:37:15Z