Seamless Bypass

Seamless Bypass allows you to separate traffic (split tunnel) going through your Airwall Gateway, where you selectively encrypt and tunnel some traffic, while allowing other traffic to pass through the Airwall Gateway unchanged. This ability also allows protected devices to securely communicate with devices or network locations that are not protected by Airwall Edge Services.

For example, you may have devices that need to communicate with software update servers on the Internet. You can configure the software update servers as a bypass destination and establish trust between the bypass destination and the protected devices. This gives the devices the ability to communicate with the bypass destination, while requiring all other access to be through encrypted tunnels from other Airwall Gateways.

This configuration of Seamless Bypass permits traffic between the secure overlay network, and an insecure underlay network, where the Airwall Gateway acts similarly to an SNAT (Source Network Address Translation) gateway. Connections initiated from the underlay network are still blocked, but connections initiated from a protected device to a permitted bypass destination are allowed.

You set up a bypass destination to:

  • Permit traffic to exit your secure overlay to destinations not protected by an Airwall Edge Service
  • During migration as an intermediate step to protecting all your traffic with Airwall Edge Services
  • To allow local devices to continue to access a protected device

Supported Versions

Versions
  • Conductor: 2.2.8 and later
  • Airwall Gateways: 2.2.8 hardware and virtual gateways, and cloud gateways with some restrictions.

Requirements and Prerequisites

Requirements

  • Any other network traffic that you want to send to remote Airwall Gateways supports being routed between subnets, and does not include broadcast or multicast protocols.
  • Devices protected by the Airwall Gateway either use DHCP, or can be reconfigured to use the new subnet.

What type of devices can be bypass destinations?

You can set many types of network destinations as bypass destinations. For example:

  • Active Directory Servers
  • Software Update Servers
  • Equipment control systems, such as for HVAC installations.
  • The internet, to bypass to everything on the internet.

Before you begin

Before you begin, you need to:

  • Have the IP address or hostname of the device or destination for which you want to create a seamless bypass.
  • Update your Conductor and the Airwall Gateway to which you want to add the bypass destination to version 2.2.8.
  • If you are using a v2.2.10 or later Conductor, and need or want to use a fully qualified domain name (FQDN) instead of IP for your bypass destination, you need to enable bypass DNS. See Enable DNS lookup for bypass destinations.

Set up a bypass destination (seamless bypass)

To set up a bypass destination, you need to:

  1. Enable bypass on the Underlay Port
  2. Set up an Overlay port for the bypass
  3. Add protected devices
  4. Create a bypass destination
  5. Set trust between the bypass destination and protected devices.

These steps are described in more detail in the following sections.

Step 1: Enable bypass on your underlay port on the Airwall Gateway

Set up a bypass port on the Airwall Gateway that is protecting devices that need access to the bypass destination.

  1. On the Airwalls page, on the Ports tab, go to the Underlay Port group, and select Edit Settings.
  2. Check Enable bypass.
  3. If you are setting up an L3 or combined L2 and L3 bypass (recommended), also check Enable source NAT and Routed traffic only.
  4. Select Update Settings.

Step 2: Set up an Overlay Port group for the bypass

  1. On the Overlay Port group, select Edit Settings.
  2. Check Routed traffic only.
    Note: Checking this option prevents broadcast and local multicast traffic across this port group. Clear this box to use the same subnet on overlay and underlay sides of this Airwall Gateway.
  3. Find an unused subnet and set up a static IP address for the Overlay Port group. Pick a subnet that is not used elsewhere in your network, for example: 192.168.1.0/24. One common convention is to use the first usable IP in the new subnet.
  4. Select Update Settings.
  5. Under DHCP settings, click Configure.
    Select Cpnfigure under DHCP settings on the Overlay port group
  6. Set up a DHCP server on the overlay so devices connecting to the Airwall Gateway automatically get an IP address:
    1. Under DHCP configuration, select DHCP server.
      DHCP Settings dialog box filled out with settings
    2. For Overlay device IP start and Overlay device IP end, enter a DHCP range for the devices. For example, 192.168.1.100-192.168.1.199.
    3. Netmask - Set to the netmask for the subnet you selected, for example, 255.255.255.0 for the /24 used in this example.
    4. Gateway – Set to the Airwall Gateway's overlay IP (192.168.1.1 in this example).
    5. DNS servers – Set to your preferred DNS servers. For example, Google’s DNS servers at 8.8.8.8 and 8.8.8.4.
    6. Select Apply.
    For more information, see Protected devices with DHCP.

Step 4: Create a bypass destination

Note: The bypass destination can be shared between all Airwall Gateways on the Conductor that support bypass and have bypass enabled, so if you’ve already set up a bypass destination, you can skip this step.
  1. On the Conductor Devices page, on the Devices tab, click Add bypass destination.
  2. Enter the bypass destination:
    • Under IP address, enter the IP for the destination of the seamless bypass device.For example, to create a bypass destination for the Internet, enter 0.0.0.0/0.
    • Or, if you have enabled DNS for bypass destinations (v2.2.10 or later), under Hostname, enter a fully-qualified domain name (FQDN) instead of an IP address. For example, google.com. For more information, see Enable DNS lookup for bypass destinations.
  3. Ignore the MAC options.
  4. Optional. Add a description and tags to help identify the bypass destination.
  5. Click Create.

Step 5: Set trust between the bypass destination and protected devices

Add the bypass destination and devices or device groups that need to access it to a new or existing overlay, and assign trust between them as you normally would. For more details, see Create an overlay network and Add and remove device trust.

Note: You can also set up trust between the bypass destination and individual devices.
Note: If you are adding trust to a DNS bypass location, you must first add trust to a DNS server bypass destination.

You should now be able to plug devices into your Airwall Gateway, and they will be able to get an IP address and connect to the bypass destination.

To see or change settings for your bypass destination

If you need to review or change settings for your bypass destination, you can open it from the Devices page.

  1. On the Devices page, on the Devices tab, open Show all devices and then select Bypass destinations.
  2. On the line for your bypass destination, open the drop-down on the right, and select Edit Properties. On this page, you can:
    • See or change properties
    • See the bypass destination's membership in Overlays
    • See the remote devices or locations it trusts