SRX Transparent Mode

SRX can also function as a firewall device when it is in layer 2 mode i.e
it can perform firewall functionality transparently.

As of now there are certain limitations on transparent mode. If not changed already;

  • You can either run the firewall in route mode or transparent mode but not mixed
  • NAT and IPSEC aren’t supported in this mode

Below I will try to show how you can convert an SRX firewall to transparent mode
and configure it. In our topology, we have two Linux servers each in the same VLAN
(282) and we will inspect traffic between these nodes without those Linux hosts are
being aware of SRX


First of all converting to transparent mode means putting the interface families
to bridge. There isn’t any switch/knob by which you can convert to transparent.

You can start by deleting all interfaces config to start from scratch and configure
these two GE interfaces with interface mode access and vlan-ids. You also see an IRB
interface. We can think of this as a virtual interface on this vlan something like
vlan.282 when we are in L3 mode.

Then configure a bridge domain. Yeah but what is a bridge domain? Assume this isn’t
an SRX device but an EX switch. By assigning ge-0/0/1 and ge-0/0/2 to vlan 282 we are creating a broadcast segment and with the following config, we give BD282 name to
our new domain and assign irb.1 interface to this bridge domain to access the box i.e from any device on this vlan you can connect to SRX through irb interface as long
as the security zone of the ingress interface has the necessary system-services allowed.

If you commit after this configuration, you must be instructed to reboot which is required.

Now configure security zones and a simple security policy for testing.

Now we should be able to connect connect from hostP( to hostN( Let do SSH
and check session table and mac table on SRX

Yes SRX has learned mac addresses and flow session is installed from to

You can also configure interfaces on trunk mode. For more information better to
check SRX layer 2 bridging and switching document.

3 thoughts on “SRX Transparent Mode

  1. rtoodtoo Post author

    The thing is set based command listing has too many repetition in the output that is why I prefer config outputs. If you want to convert them to set commands use “load merge terminal relative” and paste the config to get the set commands.

  2. uname0a

    Hello! Good blog!
    I have 1 questions

    1. Have:
    Srx 210h2-poe all port in transparent mode
    Uplink 100mb with irb(white ip)
    500 clients with real ip
    Traffic 30 mb/sec
    But i have ping >300ms to clients and to irb.
    Why ?


You have a feedback?

This site uses Akismet to reduce spam. Learn how your comment data is processed.