Deploy Sophos Firewall in bridge mode

When you deploy Sophos Firewall in bridge mode, you can add security to your network without changing the existing configuration.

Introduction

When you configure Sophos Firewall as a layer 2 bridge (in bridge mode), you can use features like deep packet inspection, intrusion prevention system, malware scanning, and email content scanning without changing the configuration or IP schema of your network.

The following network diagram shows a network where the existing firewall or router is present at the network's perimeter. Sophos Firewall is deployed in bridge mode.

Network diagram showing Sophos Firewall deployed in bridge mode
Note The IP addresses shown in the diagram are examples. Your network may be different.

Bridge mode deployment

Sophos Firewall is shipped with the following default configuration:

  • Port A IP address (LAN zone): 172.16.16.16/255.255.255.0.
  • Port B IP address (WAN zone): DHCP IP assignment.

Connect port A of Sophos Firewall to an endpoint computer's Ethernet interface and set the endpoint computer's IP address to 172.16.16.2/24. Browse to https://172.16.16.16:4444 to access the graphical user interface (GUI) and follow the steps in the assistant.

Configure Sophos Firewall in bridge mode

  1. Select Click to begin.
    Start screen.
  2. Set a new password for the admin account.
    Basic configuration screen where you create your admin password.
  3. Optional If required, click Manual configuration.
    Internet connection screen with manual configuration button.
    1. Configure the network settings as required. Then click Apply.
      Manual configuration screen where you configure settings
      Note The network settings shown in the image are examples only. You must configure settings that are appropriate for your network.
    2. Click OK.
      Screen showing that the interface has been updated successfully.
  4. Click Continue.
    Internet connection screen with the continue button.
  5. Choose a firewall name and set the time zone.
    Name and time zone screen.
  6. Register your firewall.
    • If you have a serial number, choose the first option and enter your serial number.
      Screenshot showing where you register your serial number.
    • If you don't have a serial number, choose the second option, which provides you a temporary serial number valid for a 30-day trial.
      Screenshot showing where you get a temporary serial number.
  7. You're asked to sign in or create a Sophos ID if you don't already have one.
    Screenshot showing how to log in or create a Sophos ID.
    The serial number is assigned to your Sophos Firewall.
  8. Click Continue.
    Screenshot showing the continue button.

    Upon successful registration, you see the following screen.

    Screenshot showing a successful registration.

    The basic setup is complete.

  9. Click Continue.
    Screenshot showing that the basic setup is complete.
  10. Choose bridge mode by selecting Internet gateway (Bridge Mode), and click Continue.
    Network configuration screen where you can choose bridge mode.
  11. Optional Click Enable TAP/Discover Mode if required and select one or more ports for passive network monitoring.
    Screenshot showing where to enable TAP/Discover mode, and the passive network monitoring screen.
  12. Select network protection options as required and click Continue.
    Network protection screen where you can enable network protection.
  13. Set an email recipient for notifications and backups and click Continue.
    Notifications and backups screen where you can set the email recipient.
  14. Review the configuration summary, and click Finish.
    Configuration summary screen.

    Sophos Firewall applies the configuration changes and reboots.

    Finishing screen.

Additional information

When you configure Sophos Firewall in bridge mode, it forwards packets such as Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and multicast routing.

We support High Availability (HA) on bridge interfaces when you deploy Sophos Firewall in bridge mode using the assistant. However, if you run the assistant after you've configured HA, HA is turned off.

You can configure bridge mode on Sophos Firewall without using the assistant. You can set up a bridge interface over physical and virtual interfaces. See Add a bridge interface.