Layer 2 Bridge Setup With Upstream VMAC


Article ID: 171037


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


Setting up a new configuration in Layer 2 mode (bridged) when using a VMAC upstream for the Gateways MAC address.

When doing the initial configuration with a bridged setup (layer 2 mode) but all the traffic is being bypassed and not getting intercepted.

The sessions are being bypassed by the service listener. View the bypassed sessions under "Statistics -> Sessions -> Active -> Bypassed"



Certain firewall configurations require the use of static forwarding table entries. These firewall failover configurations use virtual IP (VIP) addresses and virtual MAC (VMAC) addresses. When a client sends an ARP request to the firewall VIP, the firewall replies with a VMAC (which can be an Ethernet multicast address); however, when the firewall sends a packet, it uses a physical MAC address, not the VMAC.


Create a static forwarding table:

  1.     Select Configuration > Network > Adapters > Bridges.
  2.     Select the bridge to edit and click Edit. The Edit Bridge Interface dialog displays.
  3.     Add the static forwarding table entry.
    1.     In the Edit Bridge dialog, select the interface on which to create the static forwarding table entry.
    2.     Click Edit.
    3.     In the Edit Bridge Interfaces dialog, click Add.
    4.     In the Add MAC dialog, add the MAC address of the next hop gateway and click OK.
  4.     Click OK to close the Edit Bridge Interface and Edit Bridge dialogs.
  5.     Click Apply.

More information on the Forwarding Table can be found here in the Admin Guide:

Page 1461 - "Adding Static Forwarding Table Entries"

SGOS Administration Guide

Once the static forwarding table entry is applied, check if the traffic is being intercepted now: "Statistics -> Sessions -> Active". The traffic should not be being intercepted.


If it's still not working after adding the Forwarding Table Entry, make sure the following has been check checked from following document:

How to set up the proxy in a physically in-path deployment without an IP address on the bridge?

"Then, ensure that the proxy is configured with the following settings:"
    - Set the bridge interface settings to FAIL_OPEN, so that the proxy can transparently bridge traffic in case of a failure.
    - Enable reflect client IP so that the IP address of the proxy  isn't used as the source IP address.
    - Enable trust destination IP to reduce the number of DNS lookups the proxy performs.
    - If there is no GW for Internet addresses, then pipelining must be disabled.