Seamless Bypass
Seamless Bypass allows you to separate traffic (split tunnel) going through your Airwall Gateway, where you selectively encrypt and tunnel some traffic, while allowing other traffic to pass through the Airwall Gateway unchanged. This ability also allows protected devices to securely communicate with devices or network locations that are not protected by Airwall Edge Services.
For example, you may have devices that need to communicate with software update servers on the Internet. You can configure the software update servers as a bypass destination and establish trust between the bypass destination and the protected devices. This gives the devices the ability to communicate with the bypass destination, while requiring all other access to be through encrypted tunnels from other Airwall Gateways.
This configuration of Seamless Bypass permits traffic between the secure overlay network, and an insecure underlay network, where the Airwall Gateway acts similarly to an SNAT (Source Network Address Translation) gateway. Connections initiated from the underlay network are still blocked, but connections initiated from a protected device to a permitted bypass destination are allowed.
You set up a bypass destination to:
- Permit traffic to exit your secure overlay to destinations not protected by an Airwall Edge Service
- During migration as an intermediate step to protecting all your traffic with Airwall Edge Services
- To allow local devices to continue to access a protected device
Supported Versions
- Versions
-
- Conductor: 2.2.8 and later
- Airwall Gateways: 2.2.8 hardware and virtual gateways, and cloud gateways with some restrictions.
Requirements and Prerequisites
Requirements
- Any other network traffic that you want to send to remote Airwall Gateways supports being routed between subnets, and does not include broadcast or multicast protocols.
- Devices protected by the Airwall Gateway either use DHCP, or can be reconfigured to use the new subnet.
What type of devices can be bypass destinations?
You can set many types of network destinations as bypass destinations. For example:
- Active Directory Servers
- Software Update Servers
- Equipment control systems, such as for HVAC installations.
- The internet, to bypass to everything on the internet.
Before you begin
Before you begin, you need to:
- Have the IP address or hostname of the device or destination for which you want to create a seamless bypass.
- Update your Conductor and the Airwall Gateway to which you want to add the bypass destination to version 2.2.8.
- If you are using a v2.2.10 or later Conductor, and need or want to use a fully qualified domain name (FQDN) instead of IP for your bypass destination, you need to enable bypass DNS. See Enable DNS lookup for bypass destinations.
Set up a bypass destination (seamless bypass)
To set up a bypass destination, you need to:
- Enable bypass on the Underlay Port
- Set up an Overlay port for the bypass
- Add protected devices
- Create a bypass destination
- Set trust between the bypass destination and protected devices.
These steps are described in more detail in the following sections.
Step 1: Enable bypass on your underlay port on the Airwall Gateway
Set up a bypass port on the Airwall Gateway that is protecting devices that need access to the bypass destination.
- On the Airwalls page, on the Ports tab, go to the Underlay Port group, and select Edit Settings.
- Check Enable bypass.
- If you are setting up an L3 or combined L2 and L3 bypass (recommended), also check Enable source NAT and Routed traffic only.
- Select Update Settings.
Step 2: Set up an Overlay Port group for the bypass
- On the Overlay Port group, select Edit Settings.
-
Check Routed traffic only.
Note: Checking this option prevents broadcast and local multicast traffic across this port group. Clear this box to use the same subnet on overlay and underlay sides of this Airwall Gateway.
- Find an unused subnet and set up a static IP address for the Overlay Port group. Pick a subnet that is not used elsewhere in your network, for example: 192.168.1.0/24. One common convention is to use the first usable IP in the new subnet.
- Select Update Settings.
-
Under DHCP settings, click
Configure.
-
Set up a DHCP server on the overlay so
devices connecting to the Airwall Gateway
automatically get an IP address:
For more information, see Protected devices with DHCP.
Step 3: Add protected devices and/or a device group, if needed
For details, see Add devices to the Conductor.
Step 4: Create a bypass destination
- On the Conductor Devices page, on the Devices tab, click Add bypass destination.
-
Enter the bypass destination:
- Under IP address, enter the IP for the destination of the seamless bypass device.For example, to create a bypass destination for the Internet, enter 0.0.0.0/0.
- Or, if you have enabled DNS for bypass destinations (v2.2.10 or later), under Hostname, enter a fully-qualified domain name (FQDN) instead of an IP address. For example, google.com. For more information, see Enable DNS lookup for bypass destinations.
- Ignore the MAC options.
- Optional. Add a description and tags to help identify the bypass destination.
- Click Create.
Step 5: Set trust between the bypass destination and protected devices
Add the bypass destination and devices or device groups that need to access it to a new or existing overlay, and assign trust between them as you normally would. For more details, see Create an overlay network and Add and remove device trust.
You should now be able to plug devices into your Airwall Gateway, and they will be able to get an IP address and connect to the bypass destination.
To see or change settings for your bypass destination
If you need to review or change settings for your bypass destination, you can open it from the Devices page.
- On the Devices page, on the Devices tab, open Show all devices and then select Bypass destinations.
-
On the line for your bypass destination, open the drop-down on the right, and
select Edit Properties. On this page, you can:
- See or change properties
- See the bypass destination's membership in Overlays
- See the remote devices or locations it trusts