Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TAEKBOM_Kim
Contributor
Jump to solution

L3 mode and bridge mode in ha configuration?

Hi mates~!

The check point can operate L3 mode and bridge mode in HA configuration? 
I know It can operate L3 mode and bridge mode in standalone mode.
But I think it is impossible in HA.
Please give me your advice.
1 Solution

Accepted Solutions
Norbert_Bohusch
Advisor

sk101371 - Bridge Mode on Gaia OS and SecurePlatform OS

This sk lists everything related to bridge mode.

Example:

Bridge mode is fully supported (unless stated otherwise) on Gaia / SecurePlatform OS by the following blades for single Security Gateway deployment, for cluster with one switch in Active/Active and Active/Standby deployment, and for cluster with four switches:

 

Or:

Limitations

Only two interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a Physical, a VLAN, or a Bond device.

These features, Software Blades and deployments are not supported in Bridge Mode:

  • IPSec VPN Software Blade
  • Mobile Access Software Blade
  • "Full High Availability" deployment (where both ClusterXL members are also configured in Management HA)
  • NAT rules on Security Gateways (specifically, the traffic will be displayed as accepted by the FireWall kernel in logs, but will not actually depart on the other side, which may give the false impression that it is working).
    Refer to sk106146 - Configuration required on routers to allow NATed traffic to pass through Security Gateway....
  • Access to Portals from bridged networks, if the bridge does not have an assigned IP address
  • Anti-Virus in Traditional Mode
  • Identity Awareness authentication other than AD Query (AD Query is the only supported authentication)
  • Assigning an IP address on Bridge interface in ClusterXL (any version)
  • ClusterXL in R75.40 and lower / R75.45 / R75.46 / R75.47
  • Asymmetric traffic inspection on Layer 2 Active/Active cluster deployment is not supported (asymmetric traffic inspection is any situation, where the Client-to-Server packet is inspected by one cluster member, while the Server-to-Client packet is inspected by the other member. In such scenarios several security features will not work)

View solution in original post

0 Kudos
2 Replies
darrenkohcc
Explorer

i got the same question, any answer for this? 

 

0 Kudos
Norbert_Bohusch
Advisor

sk101371 - Bridge Mode on Gaia OS and SecurePlatform OS

This sk lists everything related to bridge mode.

Example:

Bridge mode is fully supported (unless stated otherwise) on Gaia / SecurePlatform OS by the following blades for single Security Gateway deployment, for cluster with one switch in Active/Active and Active/Standby deployment, and for cluster with four switches:

 

Or:

Limitations

Only two interfaces can be connected by a single Bridge interface. These two interfaces can then be thought of as a two-ports switch. Each port can be a Physical, a VLAN, or a Bond device.

These features, Software Blades and deployments are not supported in Bridge Mode:

  • IPSec VPN Software Blade
  • Mobile Access Software Blade
  • "Full High Availability" deployment (where both ClusterXL members are also configured in Management HA)
  • NAT rules on Security Gateways (specifically, the traffic will be displayed as accepted by the FireWall kernel in logs, but will not actually depart on the other side, which may give the false impression that it is working).
    Refer to sk106146 - Configuration required on routers to allow NATed traffic to pass through Security Gateway....
  • Access to Portals from bridged networks, if the bridge does not have an assigned IP address
  • Anti-Virus in Traditional Mode
  • Identity Awareness authentication other than AD Query (AD Query is the only supported authentication)
  • Assigning an IP address on Bridge interface in ClusterXL (any version)
  • ClusterXL in R75.40 and lower / R75.45 / R75.46 / R75.47
  • Asymmetric traffic inspection on Layer 2 Active/Active cluster deployment is not supported (asymmetric traffic inspection is any situation, where the Client-to-Server packet is inspected by one cluster member, while the Server-to-Client packet is inspected by the other member. In such scenarios several security features will not work)
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events