By default, a GTA firewall acts as a firewall router so that systems on the internal network see it as a gateway to the external network, and systems on the external network see it as the gateway to the internal network. The GTA firewall connects networks transparently like a bridge for specified Ethernet protocol types, while continuing to apply policies to other IP packets as a firewall.
A GTA firewall in bridging mode can be inserted behind a router to the Internet between the router and the internal networks without changing IP addresses, gateways or any other network addresses for the rest of your network hosts.
A GTA firewall in bridging mode can also be inserted into an internal network to separate networks that are at a peer level, or to further segregate PSNs. This configuration allows two internal networks to communicate as one, while filtering non-bridged IP traffic between them and preventing the passage of non-IP protocols (except ARP, which operates at both data link layer 2, and network layer 3).
When in bridging mode, a GTA firewall can be connected directly to a host, a switch, a router or a non-bridged firewall.
H2A - High Availability is not supported in bridging mode. PPP, PPPoE and PPTP are not supported on a bridged interface.
If a host points to a router or gateway on a bridged interface as its default route to the Internet, the firewall will override that preference, routing the packet through its logical external network interface. Also, in bridging mode (as in unbridged firewall operation) any packet that goes through the firewall will use the firewall’s routing tables. This means that even though a host may have indicated a particular route, the firewall will instead use the routes set up in Configure>Network>Routing>Static Routing and
BGP Setup
BGP (Border Gateway Protocol) is an Exterior Gateway Routing Protocol (EGRP) used for larger networks such as the Internet. BGP uses TCP port 179 to establish a connection between two or more routers. These routers are considered peers. Initially the routers exchange full routing information, once the connection is established the routers only send updates to their routing tables.
Note
BGP is only available on GB-2000, GB-2100, GB-2500, GB-3000 and GB-Ware. Note
For more information on BGP, one recommended source is IP Routing, 1st Edition by Ravi Malhotra from O’Reilly and Associates.
Requirements for BGP:
1. Basic understanding of BGP.
2. Understanding of TCP/IP and routing.
3. BGP Neighbor(s) IP and Autonomous System (AS).
To configure BGP:
1. Navigate to Configure>Network>Routing>BGP.
2. Select eNable.
3. Define the router aS in which the firewall belongs.
4. Configure the router iD. This number must be unique
5. Define the NetworkS. This is the network(s) which will use BGP.
6. Define the BGP Neighbor(s).
7. Enter the neighbors reMote aS and whether the firewall will aDvertiSethe Default route.
8. Configure the aDvaNCeD reDiStribute and aggregatioN options if needed.
Table 3.22: Configuring BGP
Field Description
Enable Enables the BGP interface and starts the service.
Router aS The number assigned to a router or set of routers in a single technical administration.
Router iD Router ID number.
Networks A selection for the network(s) which will use BGP. Advanced
automatic Policies Enables the firewall to generate a set of automatic policies to allow a configured BGP interface to function properly. By default this is enabled. The policy created is for TCP port 179 and is viewable in the Monitor> activity>Security
Policies>automatic section. Redistribute
Metric Configure the metric when the route is redistributed.
Connected If enabled, routing information is sent for those networks directly assigned to the firewall--such as interfaces and aliases
OSPF If enabled, routing information is sent for those networks that are configured via IGRP or OSPF.
RiP If enabled, routing information is sent for those networks configured via RIP.
Static If enabled, outing information is sent for those networks that are statically assigned to the firewall.
Route Aggregation
aggregate addresses The network(s) to aggregate.
aS set This selection will generate or send the AS set of other routers to the remote router.
Summary Only This selection filters the more specific routes when sending updates.
To edit an existing BGP interface, select the edit icon. To create a new BGP interface, select the New
icon.
Figure 3.25: BGP Setup
Table 3.23: Configuring BGP
Field Description
Disable Disables the BGP interface.
Description A short description to identify the BGP interface.
Neighbor A selection for the IP address used to configure the peer routers the firewall will use to connect to BGP.
Remote aS The AS number of the peer router.
advertise Default Route Enable if the firewall will advertise itself as the default route. Advanced
eBGP Multihop Enables BGP multihop.