The need to simplify or aid firewall deployment

Deploying a new firewall into a network can be a complicated process due to various issues(e.g. IP address reconfiguration, network topology changes, current firewall, etc.). In an attempt to help enterprises deal with these, firewall vendors came up with “drop-in” solutions.

As such, often firewalls can be deployed in transparent or bridge modes(bump in the wire) instead of the traditional mode of operation(as a routed hop). Among various vendors these two modes(transparent and bridge) may have the same meaning, referring to firewalls operating at Layer 2, like a bridge.

When it comes to SonicWALL firewalls and SonicOS Enhanced, the Transparent Mode and L2 (Layer 2) Bridge Mode have different meanings.

SonicWALL Firewalls in Transparent Mode

A mode that allows a SonicWALL firewall(running either SonicOS Standard or Enhanced) to be inserted into an existing network without the need for IP reconfiguration by spanning a single IP subnet across two or more interfaces.

SonicWALL Firewalls in L2 Bridge Mode

A mode that allows a SonicWALL firewall(running SonicOS Enhanced) to be inserted into an existing network without the need for IP reconfiguration similar with the Transparent Mode but providing more transparency(the firewall acts as a Layer 2 bridge) and versatile functionality.

Bridge-Pair - a logical interface set composed of a Primary Bridge Interface and a Secondary Bridge Interface; a Bridge-Pair behaves like a two-port learning bridge with full L2 transparency.
Bridge-Partner - the term used to refer to the “other” member of a Bridge-Pair.

When to use Transparent Mode and when to use L2 Bridge Mode

Requirement

Mode

Need to pass non-IPv4 traffic

L2 Bridge Mode as Transparent Mode passes only IPv4 traffic.

Need to pass broadcast traffic

L2 Bridge Mode as Transparent Mode drops broadcast traffic(exception being NetBios).

Multiple Subnets support

L2 Bridge Mode as Transparent Mode only supports a single subnet(that which is assigned to, and spanned from the Primary WAN).

VLAN traffic

L2 Bridge Mode as VLAN traffic is passed through the L2 Bridge and inspected as opposed to Transparent Mode where VLANs will be terminated by the SonicWALL rather than passed.

No disruption to most network communications

L2 Bridge Mode as Transparent Mode may introduce a certain level of disruptiveness; particularly with regard to ARP, VLAN support, multiple subnets and non-IPv4 traffic types.

PortShield interfaces support

Transparent Mode as PortShield interfaces cannot be assigned to either interface of an L2 Bridge Pair.

If more than two interfaces are required to operate on the same subnet

Transparent Mode as two interfaces are the maximum allowed in an L2 Bridge Pair.

DHCP services support

Transparent Mode as L2 Bridge Pair can only pass DHCP.

Running SonicOS Standard

Transparent Mode as L2 Bridge Mode requires SonicOS Enhanced.

Simultaneously Bridge and route/NAT

Mixed L2 Bridge Mode.



Mixed-Mode Operation - the L2 Bridge Mode can concurrently provide L2 Bridging and conventional services, such as routing, NAT, VPN, and wireless operations. This means the Bridge-Pair will not be the only point of ingress/egress through the SonicWALL. The firewall can be used as an L2 Bridge for one segment of the network, while providing a complete set of security services to the remainder of the network.

Captive-Bridge Mode - an optional mode of L2 Bridge which prevents traffic that has entered an L2 bridge from being forwarded to a non-Bridge-Pair interface, ensuring that traffic which enters an L2 Bridge exits the L2 Bridge rather than taking its most logically optimal path.

Summary

The two modes of operation of SonicOS Enhanced, Transparent and L2 Bridge, allow drop-in deployment solutions of SonicWALL firewalls.

They enable enterprises with no immediate plans of current firewall replacement to benefit from UTM security along with a smooth migration path to full security services operation.