The MX Series Security Appliance and Z-series Teleworker Gateway can be deployed in Passthrough or VPN Concentrator mode. In this mode, it will not perform address translation and acts as a layer 2 bridge between the Internet and LAN ports.
When in passthrough mode, the MX is best used for in-line:
- Layer 3/7 firewall rules, traffic shaping, and analysis
- Network asset discovery and reporting
- Intrusion detection
- Security and content filtering
- Client and site-to-site VPN
There are a number of differences in configuration between Routed and passthrough modes on the MX:
- Secondary uplinks cannot be used for Internet connectivity. Thus Security & SD-WAN > Configure > SD-WAN & traffic shaping > Uplink configuration only has the option for limiting bandwidth on WAN 1.
- Site-to-site VPN can only operate in split-tunnel mode when configured as a hub. Traffic bound to VPN subnets must be directed to the MX.
- DHCP is no longer available. DHCP requests will simply pass through the MX.
- Cellular uplink is no longer available.
- VLANs cannot be configured. The MX/Z1 will act as a bridge between the Internet and LAN ports.
Considerations for VPN and Other Features
When using an MX as a site-to-site VPN peer, it will only be able to send client traffic over the VPN tunnel if that traffic has been directed to it. As such, a router or L3 switch on the network will need to have static routes configured, such that VPN-bound traffic is sent to the MX. This traffic will then be encrypted and sent through the site-to-site VPN tunnel. Traffic bound to the Internet or other destinations will simply pass through the appliance:
An MX in passthrough mode can be configured to perform a number of functions like when in Routed mode. However, the appliance acts as an invisible third party, only touching traffic when required by a configured function. It can passively perform intrusion detection and collect statistics about traffic passing through it without taking action. It can also perform traffic shaping and content/security filtering functions to intercept and manipulate traffic as
When using the MX as a one-armed VPN concentrator for VPN endpoints, be sure to not connect anything to the MX's LAN ports. If the MX is simply being used as a passthrough device, using its LAN ports will not impact its performance.