While running in transparent mode, the Security Appliance continues to perform the stateful inspection with
application-layer intelligence and perform all regular firewalling capabilities, including NAT support. NAT
configuration is supported in software version 8.0 and later. Prior to version 8.0, NAT was not supported in
transparent mode.
The egress interface for the outgoing packets is determined by performing a MAC address lookup instead of a
route lookup. The only Layer 3 addressing required on the firewall is the management IP address. The
management IP address is also used as the source IP address for packets originating from the Security
Appliance, such as system messages or communications with AAA or SYSLOG servers. The management IP
address must be on the same subnet as the connected network.
Transparent mode is a good technique to protect the network passively (camouflage) without the
intruder/attacker detecting the existence of the firewall.
Figure 6-3 shows an example of transparent firewall implementation. The example shows three client
workstations with the default gateway set to upstream router 10.1.1.1. Note that all PCs, the upstream router,
and the management IP address are in the same IP subnet 10.
Pages:
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259