27/2/2020 AppWall Bridge Mode – basic setup guide

AppWall Bridge Mode – basic setup

guide
AppWall

Best Practice
Last Updated 10/14/2018

Created Date 02/26/2015

Article Id BP3302

Con guration
AppWall Bridge Mode

AppWall Bridge Mode functions as a Layer 3 transparent network device:

• All non-HTTP traffic is transparently forwarded to its destination.

• All HTTP traffic that is not defined to be secured (no tunnel defined for that Web server in AppWall) is transparently
forwarded to its destination.
https://support.radware.com/app/answers/answer_view/a_id/16241/~/appwall-bridge-mode-–-basic-setup-guide 1/5
27/2/2020 AppWall Bridge Mode – basic setup guide

Similar to the transparent proxy mode, in the secured HTTP/S traffic the source IP address of the TCP connections
from AppWall to the back-end server is the original client address.

When AppWall is deployed in Bridge Mode as a transparent network device with no listening IP addresses or ports,
a failover device (available on ODS-VL) can be applied to bypass the traffic in case of internal failure or power down
as described in BP3912.

When AppWall is deployed in Bridge Mode, it must be deployed between the default gateway, which is configured in
the protected Web server, and the protected server. This enables all traffic from the Web server to be sent back to
AppWall and processes all the traffic from the secured application, even though some of the traffic was sent from
spoofed external IP addresses and not from AppWall's IP.

Since bridge deployment is usually for a standalone environment, it is not a scalable solution and it is not
recommended for high SSL traffic.

Radware recommends T-Proxy implementation if transparency of a client IP address is needed.

AppWall Bridge Mode Configuration

1. Configure the management IP and management route to access the device.

Note: The management IP should be from a different network segment than the WAF and the
internal clients that access the applications behind the Appwall in a Bridge Mode should not be part
of the management network.

2. In the Web Based Management interface, select System Configuration > Settings > Configure Bridge IP and
configure the Service Default Route.

3. Change the Deployment Mode to Bridge.

Notes:

- The bridge IP should be in the same network segment as the WAF.

- VLAN tag is currenlty not supported

https://support.radware.com/app/answers/answer_view/a_id/16241/~/appwall-bridge-mode-–-basic-setup-guide 2/5
27/2/2020 AppWall Bridge Mode – basic setup guide

4. Set the Service Default Route and the Service Route Setting (routing rule) BEFORE configuring any tunnels.

5. Click Show Routing Table to verify the routing table.

6. Transparent Bridge Mode deployment does not require configuring listening or forwarding IP addresses like the
Proxy Mode. The Tunnel’s settings are the IP and the port of the target Web server or the target Web server VIP.

https://support.radware.com/app/answers/answer_view/a_id/16241/~/appwall-bridge-mode-–-basic-setup-guide 3/5
27/2/2020 AppWall Bridge Mode – basic setup guide

7. When creating a protected entity, click Check to Validate to verify that the AppWall reaches the Web server.

8. Set the bypass settings (relevant for ODS-VL) as described in BP3914.

https://support.radware.com/app/answers/answer_view/a_id/16241/~/appwall-bridge-mode-–-basic-setup-guide 4/5
27/2/2020 AppWall Bridge Mode – basic setup guide

9. Make sure that AppWall inspects the traffic and counts the active connections or transactions rate, as shown in
the figure below. You can also check it per-tunnel under the Tunnels tab.

https://support.radware.com/app/answers/answer_view/a_id/16241/~/appwall-bridge-mode-–-basic-setup-guide 5/5