Transparent firewall mode allows Cisco Secure Firewall devices to act as a Layer 2 bridge while still performing stateful firewall inspection. This is ideal for deploying firewalls inline without needing to readdress adjacent devices. This guide walks through configuring Secure Firewall in Transparent Mode, setting up bridge groups, and enabling ARP inspection. The Transparent Firewall on the Cisco Secure Firewall allows the device to operate as a Layer 2 bridge, often referred to as a “bump in the wire.” Unlike traditional routed firewalls, a transparent firewall does not require IP addresses on the data interfaces, nor does it perform routing. Instead, it bridges two interfaces at Layer 2, meaning that the firewall becomes invisible to the network and doesn’t disrupt existing IP addressing or routing schemes.

 

Core Characteristics of Transparent Mode

At its core, transparent mode bridges interfaces together, enabling traffic between them as if they were on the same Layer 3 segment, even if they’re technically in different Layer 2 domains. For example, VLANs on either side of the Secure Firewall can be bridged while maintaining seamless connectivity.

The BVI (Bridge Virtual Interface) IP address is not used for traffic forwarding but is necessary for certain edge cases, such as refreshing MAC/CAM tables on the Secure Firewall. It’s not a management IP, but it’s used internally to maintain system behavior consistency, such as aging MAC entries and sending ARP/ICMP traffic as needed.

 

Benefits of Transparent Firewall Mode

Transparent firewalls are often chosen for their ability to seamlessly integrate into existing environments. Key benefits include:

  • No changes to gateway configurations
  • Ability to pass Layer 2 protocols like BPDU, MPLS, and multicast traffic
  • Multicast ACL compatibility
  • Not treated as a routed hop
  • Enhanced Layer 2 security via features like Dynamic ARP Inspection (DAI)

 

Limitations of Transparent Firewall Mode

However, TFW does come with trade-offs:

  • No support for remote access VPN
  • Site-to-site VPN is restricted to management purposes
  • L2 environments can be harder to troubleshoot

 

Additional System Behavior Notes

The IP address assigned to the BVI is used for more than corner-case internal behaviors. If the Secure Firewall cannot locate a MAC address in its cache, it may trigger an ARP request (for directly connected networks) or send ICMP packets (for indirectly connected ones) from this BVI IP.

The Secure Firewall can potentially exhibit strange behaviors if MAC entries age out. If it loses the MAC address of a destination and doesn’t get a response to ARP/ICMP from the BVI address, traffic may drop unexpectedly.

Transparent firewall mode is an elegant way to insert security controls into a Layer 2 topology without altering the existing IP schema. While it has its limitations, especially in terms of VPN and management, it excels in bridging gaps where routing changes are infeasible. Proper ACL configuration and MAC table awareness are essential for a stable deployment.

 

Step 1: Enable Transparent Mode

Before Secure Firewall can operate in transparent mode, it must be removed from Firepower Management Center (FMC), and re-added after reconfiguration.

  • Connect to the CLI of the Secure Firewall device.
  • Ensure there is no manager configured with the following command:
configure manager delete
  • Issue the following command to convert to transparent mode:
configure firewall transparent

 

  • Configure the manager in the device command line using the following command:

configure manager add manager-ip-address reg-key

 

  • Re-register the device with FMC by navigating to Devices> Device Management and clicking Add> Device

 

  • Add the device IP, device name, reg key, group (if any), access control policy to apply, performance tier (if applicable), and license to assign. Click Register once finished.

 

 

 

Step 2: Configure Switched Mode Interfaces

Once transparent mode is enabled:

  • In FMC, navigate to: Devices > Device Management
  • Edit the target device, and go to the Interfaces tab.

 

  • For each interface:
    • Give the interface a name
    • Set the Mode to None.
    • Choose a Security Zone
    • Enable the interface.
    • Click Save.

 

  • After enabling interfaces:
    • Click Add Interfaces
    • Choose Bridge Group Interface

 

    • Assign a Bridge Group ID (e.g., 1).
    • Add member interfaces to the bridge group.

 

    • Assign a Bridge Group IP address.
  • Note: The IP address must be in the same subnet as adjacent devices and must not be a /30, /31, or /32 subnet.
    Example: 192.168.75.13/24
  • Click Save and Deploy.

 

Step 3: Configure ARP Inspection (Optional but Recommended)

To inspect ARP packets in Transparent Mode:

  • Navigate to: Devices > Platform Settings
  • Create or edit an existing Threat Defense policy.

 

  • Under the ARP Inspection section:
    • Click Add

 

    • Enable Inspect Enabled
    • Select the zones/interfaces you want to inspect (e.g., NET1, NET2)
    • Click OK

 

Step 4: Add Static ARP Entries (If Required)

To manually define IP-to-MAC mappings:

  • Go to: Devices > Device Management > Interfaces
  • Edit the target interface.
  • Under the Advanced > ARP and MAC  tab:
    • Click Add ARP Config
    • Enter:
      • IP Address: e.g., 192.168.75.39
      • MAC Address: e.g., c84c.758d.498c
      • Click OK

 

 

Step 5: Disable MAC Learning (Optional)

If you wish to disable MAC learning on an interface:

  • Navigate to the same ARP and MAC tab.
  • Uncheck the box labeled Enable MAC Learning.
  • Click the Add MAC Config link to add a static MAC address.
  • Click Save and Deploy

 

 

Step 6: Fragment Settings

If you wish to re-assemble fragemented IP packets before processing them, you would need to enable full fragment reassembly.

  • Go to: Devices > Device Management > Interfaces
  • Edit the target interface.
  • Navigate to the Advanced > Security Configuration tab of the interface
  • Check the box for Allow Full Fragment Reassembly
  • Click Save and Deploy

 

If you would like to customize the number of fragments allowed per packet and the maximum number of fragments awaiting reassembly, you would need to enable the override of default fragment settings.

  • Go to: Devices > Device Management > Interfaces
  • Edit the target interface.
  • Navigate to the Advanced > Security Configuration tab of the interface
  • Check the box for Override Default Fragment Setting
  • Make any adjustments you wish to the size, chain, and time out.
  • Click Save and Deploy

 

Conclusion

Transparent mode is a powerful deployment option that keeps your Secure Firewall inline without the overhead of routing changes. Combine it with ARP inspection and static ARP entries for enhanced Layer 2 control and protection against spoofing attacks.