Local bypass

With local bypass you can separate traffic (split tunnel) going through your Airwall Gateway, where you selectively encrypt and tunnel some traffic, while allowing other traffic to pass through the Airwall Gateway unchanged. This ability also allows protected devices to securely communicate with devices or network locations that are not protected by Airwall Edge Services.

For example, some devices need to communicate with software update servers on the Internet. You can configure the software update servers as a bypass destination and establish trust between the bypass destination and the protected devices. This gives the devices the ability to communicate with the bypass destination, while requiring all other access to pass through encrypted tunnels from other Airwall Gateways.

This configuration of local bypass permits traffic between the secure overlay network and an insecure underlay network, where the Airwall Gateway acts similarly to a SNAT (Source Network Address Translation) gateway. Connections initiated from the underlay network are still blocked, but connections initiated from a protected device to a permitted bypass destination are allowed.

You set up a bypass destination to:

  • permit traffic to exit your secure overlay to destinations not protected by an Airwall Edge Service.
  • protect all your traffic with Airwall Edge Services as an intermediate step during migration.
  • allow local devices to continue to access a protected device.

Prerequisites

  • Any other network traffic that you want to send to remote Airwall Gateways must support being routed between subnets, and cannot include broadcast or multicast protocols.
  • Devices protected by the Airwall Gateway must either use DHCP, or must be reconfigured to use the new subnet.
  • You can set many types of network destinations as bypass destinations. For example:
    • Active Directory Servers
    • Software Update Servers
    • Equipment control systems, such as for HVAC installations
    • The Internet, to bypass to everything on the Internet

Before you begin

Before you begin, you need to:

  • Have the IP address or hostname of the device or destination for which you want to create a local bypass.
  • If you need or want to use a fully qualified domain name (FQDN) instead of IP for your bypass destination, you need to enable bypass DNS. See Enable DNS lookup for bypass destinations.

Enabling bypass on the Airwall Gateway

Set up a bypass port on the Airwall Gateway that protects devices that need access to the bypass destination.

  1. On the Airwalls page, in the Ports tab, go to the Underlay Port Group, and select Edit Settings.
  2. Check Enable bypass.
  3. If you are setting up an L3 or combined L2 and L3 bypass (recommended), also check Enable source NAT and Routed traffic only.

Creating a bypass destination

Note: The bypass destination can be shared between all Airwall Gateways on the Conductor that support bypass and have bypass enabled. If you have already set up a bypass destination, you can skip this step.
  1. In the Conductor, go to the Devices page.
  2. On the Devices tab, click New bypass destination.
  3. Enter the bypass destination:
    • Under IP address, enter the IP for the destination of the local bypass device. For example, to create a bypass destination for the Internet, enter 0.0.0.0/0.
    • Or, if you have enabled DNS for bypass destinations, under Hostname, enter a fully-qualified domain name (FQDN) instead of an IP address. For example, google.com. For more information, see Enable DNS lookup for bypass destinations.
  4. Ignore the MAC options.
  5. Optional: Add a description and tags to help identify the bypass destination.
  6. Click Create.
  7. Set trust between the bypass destination and protected devices, see Create an overlay network and Add and remove device trust.
    Note: If you intend to add trust to a DNS bypass location, you must first add trust to a DNS server bypass destination.
  8. To view and edit bypasses, click Devices > Show all devices > Bypass destinations.