Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypass mode on hardware

    Scheduled Pinned Locked Moved Hardware
    5 Posts 4 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kapara
      last edited by

      I have recently been exposed to a feature called bypass mode on the new hardware I am using and was wondering if anyone could provide any useful examples of how this might be useful when using with pfSense.

      Skype ID:  Marinhd

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        It generally isn't usable for most people's use cases. The only circumstance where it would be usable is if you strictly had a transparent bridge firewall, then bypass mode would cause that bridge to fail open rather than failing closed.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Many firewall or router vendors likes Cisco, Juniper, Brocade, Palo Alto Networks, Barracuda Network,
          WatchGuard and Sophos offers appliances that comes with such a bypass mode.

          Think of a transparent proxy solution. You may still want traffic to pass through the proxy if the
          hardware or OS fails, so you would want a bypass card.

          It is like a bridged port that is working in the so called "promiscuous mode" and this will be done
          mostly in software and the bypass mode of the bypass switch would be done in hardware as I see
          it right. If the appliance is down also the bridge goes down, but with a bypass switch the WAN interface
          can be blocked, went down or the entire OS is going down but the data flow is then going over the bypass
          port and is passing unfiltered the firewall or WAN interface to guaranty the service and connectivity of the
          entire network.

          Here are some examples how others will use it:

          • Fortinet
            Based on a Switch power failure, FortiBridge in Normal Mode vs. FortiBridge in Bypass Mode
          • WebSense
            Surrounding a blocked firewall WAN port
          • Bypass mode diagram
            Ethernet LAN ports in normal mode & bypass mode

          Bridging LAN ports (promiscuous mode) together will be set up in the OS like pfSense, set up a
          bypass mode will be set up in the BIOS of the board or in the firmware of the NIC. But with the
          pfSense cluster as HA over CARP you don´t need that bypass mode, because is one firewall will
          be going down, the second one will be in usage and so the traffic will be filtered within.

          pfSense comes with an internal, IDS/IPS, Proxy and AV scan packets and so you will not really need
          this option, but if you are using a firewall and behind of this an IDS/IPS system and behind of that a
          Proxy server it could become more interesting for your network.

          1 Reply Last reply Reply Quote 0
          • K
            kapara
            last edited by

            Could it be used with ntop?  So you could use pfSense as an appliance of sorts to capture traffic on a network if placed in between a firewall and the network?

            Skype ID:  Marinhd

            1 Reply Last reply Reply Quote 0
            • A
              Aluminum
              last edited by

              Having bypass is pretty much the antithesis of a the basic purpose of a firewall.

              If you just want to use the security/scanning/logging options of pfsense passively it would be a lot better to use a tap. I would start to point you to software more specifically designed for that though, such as security onion etc.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.