Network configuration modes

There are several configuration modes that can be used on your firewall:

  • Bridge mode,
  • Advanced mode (Router),
  • Hybrid mode.

These modes are not visually represented in the web administration interface, and there is no configuration wizard to set them up. There represent the types of configuration that you can apply to your firewall. Security-wise, all operating modes are equal.

Bridge mode

Interfaces are part of the address range declared on the bridge. This mode makes it possible to keep the same address range between interfaces.

You can filter traffic later by using interface objects or address ranges depending on your requirements, and protect any part of your network.

The advantages of this mode are:

  • Ease of integration of the product since there is no change in the configuration of client workstations (default router, static routes, etc.) and no change in IP address on your network.
  • Compatibility with IPX (Novell network), Netbios in Netbeui, Appletalk or IPv6.
  • No address translation, therefore time is saved when the firewall processes packets.

This mode is therefore recommended between the external zone and the DMZ. It allows keeping a public address range on the firewall’s external zone and on the DMZ’s public servers.

Advanced mode (Router)

The firewall operates like a router between its various interfaces. Every enabled interface has an IP address from the network to which it is directly connected. This enables the configuration of translation rules for accessing other zones in the firewall.

This requires some IP addresses to be changed on routers or servers when you move them to a different network (behind a different interface of the firewall).

The advantages of this mode are:

  • Address translation between the various networks.
  • Only traffic passing from one network to another passes through the firewall (internal network to the Internet, for example). This considerably lightens the firewall’s load and returns better response times.
  • Item belonging to each zone are easier to differentiate (internal, external and DMZ). The distinction is made by the different IP addresses for each zone. This provides a clearer view of the separations and the configuration to be applied to these items.

Hybrid mode

Some interfaces have the same IP address and others have a separate address. The hybrid mode uses a combination of both modes mentioned earlier. This mode may only be used with Stormshield Network products having more than two network interfaces. You may define several interfaces in bridge mode.

EXAMPLE
Internal zone and DMZ (or external zone and DMZ) and certain interfaces in a different address range. This provides greater flexibility when you integrate the product.