In bridge mode, the device is considered a network line with a filtering function. This mode is usually enabled when the original network structure cannot be modified. Deploy the device between the original gateway and the intranet users. You only need to configure the device without modifying the configurations of the original network or intranet users. The device is invisible to the original network and intranet users, which is characteristic of the bridge mode.

Operating environment 1: The device functions as a bridge with one input and one output.

Operating environment 2: If Virtual Router Redundancy Protocol (VRRP) or Hot Standby Router Protocol (HSRP) is enabled on the intranet, the device can be deployed in multi-bridge mode to implement basic audit control functions without affecting Active-Standby handovers of the original firewalls. The following figure shows the two operating environments.

Example: VRRP is enabled between the two firewalls and the switch. The virtual IP address of the firewalls is 192.168.1.1. The device is deployed between the switch and firewall as a bridge with two inputs and two outputs.

The procedure is as follows:

1. Configure the device and log in to the device by using the default IP address. For example, to log in using the LAN interface, whose default IP address is 10.251.251.251/24, configure an IP address on this network segment on the PC and log in to the device by accessing https://10.251.251.251. The default login username and password are both admins.

2. In the navigation area, choose System > Network > Deployment. On the Deployment pane on the right, click Settings. On the page shown in the following figure, select the bridge mode and click Next.

3. Add a LAN interface and a WAN interface to form a bridge and configure two bridges. See the following figure.

LAN Interface: Select an internal network interface from LAN Interface.

WAN Interfaces: Select a WAN interface from WAN Interface.

Bridge: Bridges are defined in Bridge. Data can be forwarded between interfaces on a bridge and cannot be forwarded between interfaces on different bridges.

If Enable bridge state propagation is selected, when a network interface on a bridge changes from connected to disconnected or disconnected to connected, the status of the other network interface changes accordingly. It ensures that the status of the two network interfaces on a bridge is synchronous. This function is to notify the peer device that the link is faulty or resumes normal in a redundancy environment. We recommend you select this item.

4. Set the bridge IP addresses. Set two bridge IP addresses for the device. In this example, the two bridges are on different network segments. Assign two idle IP addresses as bridge IP addresses.

VLAN data passes through the device. Therefore, VLAN information needs to be configured, including the VLAN ID, VLAN IP address (an idle IP address is assigned to each VLAN), and VLAN mask.

Network access data on the intranet will not be affected if no idle IP address is available. However, in this case, the device has no IP address for communication with the intranet and external network. Some functions, such as embedded library update, web authentication, and Ingress, will be affected. To solve this problem, connect the management interface to the intranet switch so the device can communicate with the intranet and external network. The following will describe the configuration in detail.

The bridge IP address can be empty when the device operates in bridge mode. The bridge IP addresses must be on different network segments, and the VLAN IDs must be unique.

5. Configure the management interface. The management interface is in the DMZ. Select an idle network interface (not a bridge interface) as the management interface.

6. Configure the gateway address and DNS address. Configure the default gateway and DNS address. In this example, two idle IP addresses are assigned as the bridge IP addresses. The default gateway points to the virtual IP address of the front-end firewall.

Set a public network IP address assigned by the carrier as the DNS address. Select Bypass firewall rule to enable the firewall rule that allows all data between the WAN and the LAN.

7. Confirm the configuration information and click OK[A246].

Restart the device for the configurations to take effect. In the displayed dialog box asking for your confirmation, click Yes.

8. Add a user or user group or add a user authentication policy on the Authentication Policy to avoid Internet access failures caused by the lack of identity authentication.
9. Connect the device to the network. Specifically, connect WAN1 and WAN2 to FW1 and FW2 and LAN1 and LAN2 to the intranet switch.