Configuring Transparent Mode
With the release of Security software version 7.0, a Security Appliance can run as a Layer 2
firewall. Standard firewalls act in a similar fashion as a router, routing packets through the
firewall instead of switching them. This creates an extra hop in the IP path that a user can
detect. With transparent firewall enabled, the Security Appliance will act as a Layer 2 filtering
bridge, switching the packets instead of routing them, and the user will not see an additional
hop within the IP path. This allows the Security Appliance to bridge packets from one
interface to another, instead of routing them. These interfaces are usually on the same VLAN
or IP subnet.
Because transparent firewalls perform MAC address lookup instead of routing, a Security
Appliance with this feature enabled can be placed in a network without a need to reconfigure
any part of the network, including NAT or IP readdressing. With the change from routing to
switching, enabling transparent firewalling removes or restricts support for several Security
Appliance features:
■ Interface limits—A Security Appliance with transparent firewalls enabled can only use
two interfaces. Each interface must be on a different VLAN to support transparent
firewalls. This restriction is based on a single context. If multiple contexts have been
enabled, each context created can use only two interfaces. These interfaces can only be
used by one context and cannot be shared between multiple contexts in transparent
mode.
■ NAT—NAT does not apply when the Security Appliance is running in a Layer 2 mode.
NAT would be done by a Layer 3 device in this design.
■ Dynamic routing protocols—Because the Security Appliance is set to be a bridge,
dynamic routing protocols are not needed, as they are used in an environment to assist
in routing packets. Static routes can be configured for traffic that may originate from the
Security Appliance.
■ IPv6—IPv6 is not supported due to transparent mode working at Layer 2 and not Layer 3.
■ DHCP relay—The Security Appliance cannot act as a DHCP relay, although it can act
as a DHCP server.
■ Quality of service (QoS)—Most QoS options rely on the TCP header, which is not used
in transparent mode.
■ Multicast—Multicast traffic is not supported by default in transparent mode. To pass
multicast traffic through the Security Appliance in transparent mode, you must use
extended access lists.
■ VPN termination for through traffic—The Security Appliance with transparent firewalls
enabled can only support site-to-site VPN tunnels for the management connections.
A Security Appliance in transparent mode can still run virtual firewalls. Each context must
be configured with an IP address to use for management access. This IP address assigned to
the port must be part of the connecting network, since the Security Appliance cannot route
a subnet that is not directly connected. Additionally, each connecting network must reside in
the same subnet to be supported in transparent mode.
The bridging of traffic by the Security Appliance does not work like a normal switch by
default. A Security Appliance in transparent mode will only pass ARP traffic between the two
interfaces until an extended access list or EtherType access list is configured. With either of
these access lists configured, you can allow Layer 3 traffic to pass through the Security
Appliance.
NOTE A Security Appliance can be set to either transparent or router mode. If multiple
contexts are enabled, all contexts must be set to the same mode.