Backhaul Bypass

Set up backhaul bypass to allow any v3.0 or later Airwall Gateway to reach bypass destinations by tunneling traffic using designated bypass egress Airwall Gateways. Optionally, you can use a regional backhaul bypass pool for Airwall Gateways that support backhaul bypass and are not gateways themselves. See Region Bypass.

Supported roles
  • System Administrators
  • Network Administrators with the “Can view and edit bypass destinations” permission
Supported versions
  • Airwall Gateways and Conductor v3.0 and later.
  • For region bypass both the Conductor and the Airwall Gateways must be v3.2.3 or later.
Note:
  • You can use backhaul bypass for any bypass destination including destinations using hostnames.
  • Backhaul bypass can use relays just like normal overlay traffic. The Airwall Relay does not require any special configuration.
  • You can set up backhaul Airwall Gateways with multiple bypass-enabled underlay port groups and use link manager to fail over between them. See Manage Failover between Underlay Port Groups.

Prerequisites

  • As a best practice, enable source NAT (SNAT) and routed-only mode on the bypass port group.
  • When using hostname bypass destinations, they must meet these requirements:
    • The DNS server used by the overlay device must be on the Conductor-configured allow-list for bypass DNS.
    • The traffic path to resolve hosts must follow the same path on the overlay as the traffic to the actual bypass destination. This means that the DNS server itself must be a bypass destination and the overlay devices using it must have policy to it.

Configuring an Airwall Gateway as a bypass egress gateway

Configuring an Airwall Gateway as a bypass egress gateway allows other Airwall Gateways to use it to access bypass destinations.
Note: Before you begin, you must set up one or more Airwall Gateways with local bypass, including creating bypass destinations, creating an overlay with devices and the bypass destination, and adding trust. See Local Bypass.
  1. Go to the Airwalls page and open an Airwall Gateway.
  2. In Bypass settings, click the edit icon . If Bypass settings reads Bypass is disabled, go to the Port tab, click Edit Settings, select an underlay port, and click Bypass enabled.


  3. Check Allow Airwall to act as a bypass gateway.


  4. Click OK.
  5. Optional: Set up a bypass Airwall Gateway to be the default for your Airwall secure network. The default is used for all v3.0 Airwall Gateways that do not have a local bypass set up and do have trust set up to the bypass destination on an overlay. You can assign a bypass gateway using Bulk Configuration of Airwall Edge Services.
    Note: If you want to use FQDNs for your DNS servers, check that the DNS resolver has access through the same tunnel as backhaul bypass. For example, backhaul to your corporate office and use the DNS resolver there. This access allows the egress gateway to learn the DNS FQDNs. Also, note that some common DNS over HTTPs (DoH) or DNS over TLS (DoT) settings (for example, on Google Chrome) can prevent hostname based policies from working.

Selecting a specific bypass egress Airwall Gateway

Once you set up a bypass egress Airwall Gateway, you can set up other Airwall Gateways to use it to reach bypass destinations.

  1. Go to the Airwalls page and open the Airwall Gateway that you want to reach a bypass destination through a bypass egress Airwall Gateway.
  2. Go to the Airwall Gateway tab and click the edit icon in Bypass settings.


    Note: You must not have bypass enabled on any of the underlay port groups. If Bypass settings reads Local bypass, go to the Ports tab and uncheck Bypass enabled in all underlay port groups.
  3. From the dropdown menu, select Use specific bypass gateway.


  4. In the additional dropdown menu, select the required bypass egress gateway and click OK.


    Note: You can also set this option in bulk. See Bulk Configuration of Airwall Edge Services, and choose the bypass gateway option:

    Bulk configuration options showing Bypass gateway selected

  5. In an Overlay, add trust from this Airwall Gateway's local devices to the bypass destination.
In v3.4.0 and later use the Bypass tab to view which Airwalls are using the selected bypass gateway.
Bypass tab

Region bypass

Use a region bypass to group and load balance bypass Airwall Gateways by region. A region bypass is configured by creating a region tag. Add the region tag (or tags) to one or more bypass egress gateways and to the Airwall Gateways you want to use with the region bypass egress gateways. To create a tag in the Conductor, complete the following steps:

  1. Select the Tags icon .
  2. Click New tag.
  3. Give the tag a name and fill in the required information. See Create a Tag.
  4. Select Region tag.


  5. Select Create.
    Note the region tag icon for easy identification.
  6. Go to the Airwall tab and select the Airwall you want to use with the region bypass egress gateway.
  7. Select Actions > Tags and choose the region tag from the drop down menu.


  8. In Bypass Settings, click the edit icon and then select Use regional bypass gateway pool from the drop down menu.
  9. Return to the Airwall list and find the bypass egress gateway you want to use.
    Note: To be a bypass egress gateway, the Bypass Settings must be set to Acting as a bypass egress gateway.
  10. Select Actions > Tags and choose the same region tag you choose for the Airwall from the drop down menu.