Anyone using UTM in Bridged mode?

Question

There are four possible configurations for UTM: 
 
 UTM is the perimeter firewall, supporting all features 
 UTM is immediately behind the perimeter firewall on a bridged connection, supporting all features 
 UTM is immediately behind the perimeter firewall on a routed connection, supporting all features 
 UTM is out-of-band (anywhere else on the intranet), supporting only Standard Proxy and Internal features 
 
 Bridged and Routed connections should be functionally identical. However, inserting UTM into the network using a bridged connection should require no changes to the firewall or the internal router, while inserting UTM into an existing network using a routed connection will require addressing and routing changes on one of the adjacent devices. So option 3 can be ignored. 
 I don't want to use UTM as my firewall, and option 4 doe snot support all features, so bridged mode has the most appeal. On a UTM bridge, the system administrator must specify all of the ethertypes that are supposed to be passed, and I don't know how to determine which ones will be needed. I did find an RFC with all of them listed, but it is a long list and UTM requites them to be entered one at a time. 
 My one brief attempt to use a bridged configuration failed miserably, mostly because I could not figure out how to debug problems, and I did not have the luxury of waiting while a support case percolated through Sophos. The test was at least a year ago, so I don't remember many details, other than that Internet traffic was not flowing properly. My unused bridge configuration is still preserved in UTM: 
 
 Ethertypes passed: 8887, 0806, 814c, 8035, 876b 
 Allow arp broadcasts: Yes 
 Allow IPV6: No (not required) 
 Spanning tree: Off 
 Aging timeout: 30 seconds (default) 
 Virtual MAC addresss: default (lowest of member MAC addresses) 
 
 Has anyone made bridged mode work? What settings did you use? If you tried and failed, do you know why it failed for you?

DouglasFoster · Accepted Answer

Adding notes to provide a consolidated reference on what I have learned: 
 Converting Exception sites from the proxy script: 
 In standard mode, I use a proxy script to bypass certain highly-trusted websites. These have been configured as wildcards, such as "contains .123rescue.com/" (which Sophos Support uses for screen sharing). I want to keep these sites bypassed when I activate Transparent Mode, but the Transparent Mode Skip List does not support domain wildcards. Since the bypassed sites have never been logged, I have no way of knowing what host names might be needed for this to work (and the list would probably be incomplete anyway.) 
 Fortunately, this issue was discussed previously in this link 
 https://community.sophos.com/products/unified-threat-management/f/general-discussion/76428/wild-card-dns-definitions-in-transparent-skip-list 
 The solution is to use a website exception instead of using the skip list. The link suggested using Regex, but I think I have an easier method: 
 
 Create a new Website Override and paste in all of the sites referenced in the proxy script. 
 Assign a tag, such as "Web Proxy Bypass", check the option for "Include Subdomains", then save. 
 Create an exception, with as few or as many features disabled as you desire, and link it to the Tag "Web Proxy Bypass". 
 
 Choose "Full Transparent Mode", not "Transparent Mode" 
 This option is only enabled when bridge mode is active, and the discussion on this link says that it is actually required when bridge mode is active. 
 https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/73266/bridge-web-protection-transparent-block-traffic-http-https 
 When changing from out-of-band to bridge mode, create a UTM firewall rule for ANY-ANY = ALLOW, or something similar as appropriate 
 When UTM is out-of-band, no firewall filtering occurs because only Standard Proxy traffic moves through the UTM. Once UTM is in-line, all unproxied traffic flows through the firewall layer. Since UTM is not zone-based, even outbound traffic needs to be explicitly authorized. Assuming that traffic filtering is performed correctly by the firewall that is in front of UTM, then an ANY-ANY-ALLOW rule should be sufficient. A more restrictive rule will usually be needed for sites with DMZ, Remote Access, or Guest WiFi users connecting through the UTM. 
 (On my first attempt to use Bridge mode, I probably failed because I did not create a Firewall-allow rule and I did not use Full Transparent Mode.)