Skip to content

Deploy Sophos Firewall in bridge mode

When you deploy Sophos Firewall in bridge mode, you can add security to your network without changing the existing configuration.

Introduction

When you configure Sophos Firewall as a layer 2 bridge (in bridge mode), you can use features, such as deep packet inspection, intrusion prevention system, malware scanning, and email content scanning without changing the configuration or IP address schema of your network.

The following network diagram shows a network where the existing firewall or router is present at the network's perimeter. Sophos Firewall is deployed in bridge mode.

Network diagram showing Sophos Firewall deployed in bridge mode.

Note

The IP addresses shown in the diagram are examples. Your network may be different.

Bridge mode deployment

Sophos Firewall is shipped with the following default configuration:

  • Port A IP address (LAN zone): 172.16.16.16/255.255.255.0.
  • Port B IP address (WAN zone): DHCP IP assignment.

Connect port A of Sophos Firewall to an endpoint computer's Ethernet interface and set the endpoint computer's IP address to 172.16.16.2/24. Browse to https://172.16.16.16:4444 to access the graphical user interface (GUI) and follow the steps in the assistant.

Configure Sophos Firewall in bridge mode

  1. Select Click to begin.

    Start screen.

  2. Set a new password for the admin account.

    Basic configuration screen where you create your admin password.

  3. If required, click Manual configuration.

    Internet connection screen with manual configuration button.

    1. Configure the network settings as required and click Apply.

      Manual configuration screen where you configure settings.

      Note

      The network settings shown in the image are examples only. You must configure settings that are appropriate for your network.

    2. Click OK.

      Screen showing that the interface has been updated successfully.

  4. Click Continue.

    Internet connection screen with the continue button.

  5. Choose a name for the firewall and set the time zone.

    Name and time zone screen.

  6. Register your firewall.

    • If you have a serial number, choose the first option and enter your serial number.

      Screenshot showing where you register your serial number.

    • If you don't have a serial number, choose the second option, which provides you a temporary serial number valid for a 30-day trial.

      Screenshot showing where you get a temporary serial number.

  7. Sign in or create a Sophos Central account.

    Screenshot showing how to sign in or create a Sophos Central account.

    If you selected a 30-day trial, select a licensing option and click Claim firewall.

    The serial number is assigned to your Sophos Firewall.

  8. Click Continue.

    Screenshot showing that the basic setup is complete.

  9. Choose bridge mode by selecting Internet gateway (Bridge Mode), and click Continue.

    Network configuration screen where you can choose bridge mode.

  10. Select network protection options as required and click Continue.

    Network protection screen where you can enable network protection.

  11. Set an email recipient for notifications and backups and click Continue.

    Notifications and backups screen where you can set the email recipient.

  12. Review the configuration summary, and click Finish.

    Configuration summary screen.

    Sophos Firewall applies the configuration changes and reboots.

    Finishing screen.

Additional information

When you configure Sophos Firewall in bridge mode, it forwards packets such as Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and multicast routing.

We support High Availability (HA) on bridge interfaces when you deploy Sophos Firewall in bridge mode using the assistant. However, if you run the assistant after you've configured HA, HA is turned off.

You can configure bridge mode on Sophos Firewall without using the assistant. You can set up a bridge interface over physical and virtual interfaces. See Add a bridge interface.