User guide
Selecting a Firewall Configuration Mode
User Guide 29
Choosing a Firebox configuration
The decision between routed and drop-in mode is based on your current
network. Many networks are best served by routed mode. However,
drop-in mode is recommended if you have a large number of public IP
addresses, you have a static external IP address, or you are not willing or
able to reconfigure machines on your LAN. The following table
summarizes the criteria for choosing a Firebox configuration. (For
illustrative purposes, it is assumed that the drop-in IP address is a public
address.)
Adding secondary networks to your configuration
Whether you have chosen routed or drop-in, your configuration may
require that you add secondary networks to any of the three Firebox
interfaces. A secondary network is a separate network connected to a
Firebox interface by a switch or hub.
Routed Configuration Drop-in Configuration
Criterion 1 All interfaces of the
Firebox are on different
networks. Minimum
configured are External
and Trusted.
All interfaces of the
Firebox are on the same
network and have the same
IP address (Proxy ARP).
Criterion 2 Trusted and Optional
interfaces must be on
separate networks and
must use IP addresses
drawn from those
networks. Both interfaces
must be configured with an
IP address on the same
network.
Machines on the Trusted or
Optional interfaces can be
configured with a public IP
address.
Criterion 3 Use static NAT to map any
public addresses to private
addresses behind the
Trusted or Optional
interfaces.
Because machines that are
publicly accessible have
public IP addresses, no
static NAT is necessary.