Bypass mode on hardware



  • I have recently been exposed to a feature called bypass mode on the new hardware I am using and was wondering if anyone could provide any useful examples of how this might be useful when using with pfSense.



  • It generally isn't usable for most people's use cases. The only circumstance where it would be usable is if you strictly had a transparent bridge firewall, then bypass mode would cause that bridge to fail open rather than failing closed.



  • Many firewall or router vendors likes Cisco, Juniper, Brocade, Palo Alto Networks, Barracuda Network,
    WatchGuard and Sophos offers appliances that comes with such a bypass mode.

    Think of a transparent proxy solution. You may still want traffic to pass through the proxy if the
    hardware or OS fails, so you would want a bypass card.

    It is like a bridged port that is working in the so called "promiscuous mode" and this will be done
    mostly in software and the bypass mode of the bypass switch would be done in hardware as I see
    it right. If the appliance is down also the bridge goes down, but with a bypass switch the WAN interface
    can be blocked, went down or the entire OS is going down but the data flow is then going over the bypass
    port and is passing unfiltered the firewall or WAN interface to guaranty the service and connectivity of the
    entire network.

    Here are some examples how others will use it:

    • Fortinet
      Based on a Switch power failure, FortiBridge in Normal Mode vs. FortiBridge in Bypass Mode
    • WebSense
      Surrounding a blocked firewall WAN port
    • Bypass mode diagram
      Ethernet LAN ports in normal mode & bypass mode

    Bridging LAN ports (promiscuous mode) together will be set up in the OS like pfSense, set up a
    bypass mode will be set up in the BIOS of the board or in the firmware of the NIC. But with the
    pfSense cluster as HA over CARP you don´t need that bypass mode, because is one firewall will
    be going down, the second one will be in usage and so the traffic will be filtered within.

    pfSense comes with an internal, IDS/IPS, Proxy and AV scan packets and so you will not really need
    this option, but if you are using a firewall and behind of this an IDS/IPS system and behind of that a
    Proxy server it could become more interesting for your network.



  • Could it be used with ntop?  So you could use pfSense as an appliance of sorts to capture traffic on a network if placed in between a firewall and the network?



  • Having bypass is pretty much the antithesis of a the basic purpose of a firewall.

    If you just want to use the security/scanning/logging options of pfsense passively it would be a lot better to use a tap. I would start to point you to software more specifically designed for that though, such as security onion etc.


Log in to reply