Watchguard: Enable Bridge Mode, Transparent - DropIn Mode
Bridge mode is a feature that allows you to install your Firebox between an existing network and its gateway to filter or manage network traffic. When you enable this feature, your Firebox processes and forwards all network traffic to other gateway devices. When the traffic arrives at a gateway from the Firebox, it appears to have been sent from the original device.
System and Management IP Addresses
Fireware v11.12.1 and lower
You must specify a static IP address that is used to manage your Firebox. The Firebox also uses this IP address to receive security services signature updates and to route traffic to internal DNS, NTP, or WebBlocker servers. Because of this, make sure you assign an IP address that has a route to the Internet.
Fireware v11.12.2 and higher
You can specify a static IP address or DHCP.
If you specify DHCP, your Firebox gets a system IP address from the DHCP server configured on your gateway device. The computers on your network can also get DHCP addresses from the gateway device. The Firebox uses the IP address assigned by DHCP to receive security services signature updates and to route traffic to internal DNS, NTP, or WebBlocker servers.
If you specify DHCP, you must also specify a management IP address in a private IP address range. If the DHCP server fails to assign a system IP address to your Firebox, or if you do not know the system IP address, you can connect to the Firebox with the management IP address.
In Fireware v11.12.2 and higher, you can enable Spanning Tree Protocol in Bridge mode. Spanning Tree Protocol is designed to prevent loops on networks with redundant links between switches. Administrators who manage networks that must be highly available can configure redundant links and enable Spanning Tree Protocol to help ensure uptime.
For more information about Spanning Tree Protocol, see About Spanning Tree Protocol.
To enable Spanning Tree Protocol, see the Enable Spanning Tree Protocol section.
When you use Bridge mode, your Firebox cannot complete some functions that require the device to operate as a gateway. These functions include:
VLANs (Virtual Local Area Networks)
DHCP server or DHCP relay
1-to-1, dynamic, or static NAT
Dynamic routing (OSPF, BGP, or RIP)
Any type of VPN for which the Firebox is an endpoint or gateway
Some proxy functions, including HTTP Web Cache Server
Authentication automatic redirect
Management of an AP device by the Gateway Wireless Controller
If you have previously configured these features or services, they are disabled when you switch to bridge mode. To use these features or services again, you must use a different network mode. If you return to drop-in or mixed routing mode, you might have to configure some features again.
When you enable Bridge Mode, the Firebox automatically adds a Related Hosts entry for the default gateway configured on interface 0. If the default gateway IP address resides on a different interface, you must change the Related Hosts entry to the correct interface.
When you enable bridge mode, any interfaces with a previously configured network bridge or VLAN are disabled. To use those interfaces, you must first change to either drop-in or mixed routing mode, and configure the interface as External, Optional, or Trusted, then return to bridge mode. Wireless features on a wireless Firebox operate correctly in bridge mode.
The LCD display of an XTM device in bridge mode shows the IP address of the bridged interfaces as 0.0.0.0. This is expected behavior.
To use a network bridge on a FireboxV or XTMv virtual machine on ESXi, you must enable promiscuous mode on the attached virtual switch (vSwitch) in VMware. You cannot use a network bridge on a FireboxV or an XTMv virtual machine on Hyper-V, because Hyper-V virtual switches do not support promiscuous mode.
Enable Bridge Mode (Static IP)
To configure the Firebox in bridge mode, from Fireware Web UI
To configure the Firebox in Bridge mode, from Policy Manager
Click below link to find out HowTo Configure